b'Department of Homeland Security\n   Of\xef\xac\x81ce of Inspector General\n\n            Protective Security Advisor Program \n\n              Efforts to Build Effective Critical \n\n                Infrastructure Partnerships: \n\n               Oil and Natural Gas Subsector\n \n\n\n\n\n\nOIG-11-12                                       November 2010\n\x0c                                                            Office ofIllspector Gelleral\n\n                                                             u.s. Department of Homeland Security\n                                                            Washington, DC 20528\n\n\n\n\n                             November 12, 2010\n\n                                         Preface\n\nThe Department of Romeland Security (DRS) Office ofInspector General (OIG) was\nestablished by the Homeland Security Act of2002 (Public Law 107-296) by amendment\nto the Inspector General Act of1978. This is one of a series of audit, inspection, and\nspecial reports prepared as part of our oversight responsibilities to promote economy,\nefficiency, and effectiveness within the department.\n\nThis report addresses the overall strengths and weaknesses of the DRS Office of\nInfrastructure Protection\'s Protective Security Advisor Program, and the program\'s role\nin protecting the Oil and Natural Gas Subsector infrastructure of the Energy Sector. It is\nbased on interviews with employees and officials of relevant government agencies and\nprivate sector companies and organizations; direct observations; and a review of\napplicable documents and data. This report is one in a series of reviews of DRS\' roles,\nresponsibilities, and performance in the 18 critical infrastructure and key resources\nsectors.\n\nThe recommendations herein have been developed to the best knowledge available to our\noffice, and have been discussed in draft with those responsible for implementation. We\ntrust this report will result in more effective, efficient, and economical operations. We\nexpress our appreciation to all of those who contributed to the preparation of this report.\n\n\n                                 C~Q~(\xc2\xb7\n                                  Carlton MannI.\n                                      Assistant Inspector General for Inspections\n\x0cTable of Contents/Abbreviations\n\nExecutive Summary .............................................................................................................1 \n\n\nBackground ..........................................................................................................................2 \n\n   CIKR Protection Strategies, Directives, and Legislation...............................................2 \n\n   DHS\xe2\x80\x99 CIKR Integration Efforts .....................................................................................4 \n\n   Coordination, Collaboration, and Partnership ...............................................................5 \n\n   PSA Program Overview.................................................................................................7 \n\n   Oil and Natural Gas Subsector.....................................................................................10 \n\n\nResults of Review ..............................................................................................................13 \n\n   PSAs Develop Partnerships to Further Risk Reduction Efforts...................................13 \n\n   Stakeholders Consider PSAs an Effective Resource ...................................................15 \n\n   Recommendation .........................................................................................................26 \n\n   Management Comments and OIG Analysis ................................................................26 \n\n\n     A Well Defined and Communicated Mission Will Enhance Building \n\n      Effective Critical Infrastructure Partnerships ...........................................................28 \n\n     Recommendations........................................................................................................30 \n\n     Management Comments and OIG Analysis ................................................................30 \n\n\n     Coordination and Communication within DHS Needs Improvement .........................32 \n\n     Recommendation .........................................................................................................34 \n\n     Management Comments and OIG Analysis ................................................................34 \n\n\n     More PSA Program Support to Sector Leadership Partners is Needed .......................35 \n\n     Recommendations........................................................................................................37 \n\n     Management Comments and OIG Analysis ................................................................38 \n\n\n     Current Metrics are Inadequate to Measure PSA Program Performance \n\n      and Outcomes ...........................................................................................................40 \n\n     Recommendation .........................................................................................................43 \n\n     Management Comments and OIG Analysis ................................................................44 \n\n\nConclusion .........................................................................................................................45 \n\n\n\n\nFigures\n     Figure 1: 18 Critical Sectors .........................................................................................5\n\n     Figure 2: Map of PSA and IP Regional Director Distribution .....................................8 \n\n     Figure 3: PSA Partnerships to Risk Reduction ...........................................................14 \n\n\n\n\n\n       Protective Security Advisor Program Efforts to Build Effective Critical Infrastructure Partnerships: \n\n                                         Oil and Natural Gas Subsector \n\n\x0cAppendices\n  Appendix A:      Purpose, Scope, and Methodology .......................................................46 \n\n  Appendix B:      Management Comments to the Draft Report ........................................48 \n\n  Appendix C:      Sectors, Subsectors, and Sector-Specific Agencies ..............................55 \n\n  Appendix D:      PSA Program Organization Chart ........................................................57 \n\n  Appendix E:      Energy Government Coordinating Council Membership .....................58 \n\n  Appendix F:      Oil and Natural Gas Sector Coordinating Council Membership ..........59 \n\n  Appendix G:      Major Contributors to This Report .......................................................61 \n\n  Appendix H:      Report Distribution ...............................................................................62 \n\n\n\n\nAbbreviations\n   BZPP              Buffer Zone Protection Program\n   CIKR              Critical infrastructure and key resources\n   DHS               Department of Homeland Security\n   DOE               Department of Energy\n   ECIP              Enhanced Critical Infrastructure Protection Initiative\n   FEMA              Federal Emergency Management Agency\n   FOIA              Freedom of Information Act\n   GCC               Government Coordinating Council\n   IP                Office of Infrastructure Protection\n   NICC              National Infrastructure Coordinating Center\n   NIPP              National Infrastructure Protection Plan\n   NPPD              National Protection and Programs Directorate\n   OIG               Office of Inspector General\n   PCII              Protected Critical Infrastructure Information\n   PSA               Protective Security Advisor\n   PSCD              Protective Security Coordination Division\n   RRAP              Regional Resiliency Assessment Program\n   SAV               Site Assistance Visit\n   SCC               Sector Coordinating Council\n   SSA               Sector Specific Agency\n   TSA               Transportation Security Administration\n\n\n\n\n   Protective Security Advisor Program Efforts to Build Effective Critical Infrastructure Partnerships: \n\n                                     Oil and Natural Gas Subsector \n\n\x0cOIG\n \n\nDepartment of Homeland Security\nOffice of Inspector General\n\nExecutive Summary\n                  The Department of Homeland Security is responsible for protecting and\n                  strengthening resiliency of the nation\xe2\x80\x99s critical infrastructure and key\n                  resources, which are assets, systems, and networks integral to the\n                  nation\xe2\x80\x99s economy, security, and public health. As private industry owns\n                  and operates a significant portion of the nation\xe2\x80\x99s critical infrastructure,\n                  the department emphasizes developing and sustaining public and private\n                  sector partnerships to secure and protect critical infrastructure. Within\n                  the department, the Protective Security Advisor Program develops these\n                  relationships and supports risk reduction activities.\n\n                  We reviewed Protective Security Advisor Program activities to support\n                  the department\xe2\x80\x99s mission to identify, prioritize, assess, and protect the\n                  nation\xe2\x80\x99s critical infrastructure and key resources in the Oil and Natural\n                  Gas Subsector of the Energy Sector. We also reviewed program efforts\n                  to coordinate with subsector stakeholders to help strengthen critical\n                  infrastructure protection capabilities, identify vulnerabilities, and reduce\n                  risks.\n\n                  Public and private stakeholders confirm that the Protective Security\n                  Advisor Program is an effective resource. As more innovative methods,\n                  techniques, and tools are developed, the program is adapting\n                  accordingly to meet the needs of department partners and to maintain\n                  program staff capabilities. While extensive stakeholder relationships\n                  and partnerships are developing at the state, local, and community\n                  levels, more attention is necessary to incorporate national level partners\n                  and stakeholders into strategic program planning. In addition, enhanced\n                  efforts to coordinate within the department and to collaborate with other\n                  federal partners would increase the program\xe2\x80\x99s value to stakeholders.\n\n                  We are making seven recommendations to improve the Protective\n                  Security Advisor Program\xe2\x80\x99s effectiveness and to increase program\n                  coordination and communication with private and federal partners. In\n                  response to our report, the department has proposed plans and taken\n                  action that, once fully implemented, will reduce a number of\n                  deficiencies we identified. Department officials concurred with five of\n                  the recommendations and did not concur with two recommendations.\n\n\n\n   Protective Security Advisor Program Efforts to Build Effective Critical Infrastructure Partnerships: \n\n                                     Oil and Natural Gas Subsector \n\n\n                                                  Page 1\n \n\n\x0cBackground\n                 Critical infrastructure are assets, systems, and networks, both physical or\n                 virtual, which are so vital to the United States that incapacitation or\n                 destruction would debilitate security, national economic security, and\n                 public health or safety. Key resources are publicly or privately controlled\n                 resources essential to the minimal operations of the economy and\n                 government. The federal government, state and local governments,\n                 communities, and private industry own and operate critical infrastructure\n                 and key resources (CIKR); however, the private sector owns a significant\n                 portion of CIKR. Currently, there are 18 separate CIKR sectors, for which\n                 different federal agencies lead protection efforts. These characteristics\n                 make CIKR protection a unique challenge that requires extensive\n                 coordination and partnership between and among the public and private\n                 sectors.\n\n        CIKR Protection Strategies, Directives, and Legislation\n                 The Critical Infrastructure Protection Act of 2001, acknowledged that the\n                 public and private sectors were interdependently linked through a network\n                 of critical physical and information infrastructures that only a continuous\n                 national effort could protect.1 In addition to establishing the current\n                 definition for critical infrastructure, this legislation mandated that all\n                 actions to limit or prevent exposure of these infrastructures to disruption\n                 occur through a public-private partnership.\n\n                 In July 2002, the National Strategy for Homeland Security identified the\n                 nation\xe2\x80\x99s strategic homeland security objectives, and identified major\n                 initiatives within each to protect the nation\xe2\x80\x99s CIKR.2 It acknowledged that\n                 CIKR protection required compatible, mutually supporting strategies and\n                 efforts from government and the private sector. Major initiatives outlined\n                 included developing a national plan to unify and coordinate the nation\xe2\x80\x99s\n                 infrastructure protection efforts; assessing all of the nation\xe2\x80\x99s CIKR to\n                 identify vulnerabilities; enabling the sharing, integrating, and protection of\n                 the sensitive information collected; and building collaborative partnerships\n                 between the federal, state, and local governments and the private sector.\n\n\n1\n  Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct\nTerrorism (USA PATRIOT) Act of 2001, Public Law 107-56, Sec. 1016 (October 26, 2001).\n2\n  On October 5, 2007, the President\xe2\x80\x99s Homeland Security Council updated and reissued the National\nStrategy for Homeland Security. It reflected new threat analyses, incorporated lessons learned from\nHurricane Katrina and other catastrophic incidents, and described initiatives originating after the 2002\nversion as well as those under development for future deployment.\n\n\n\n     Protective Security Advisor Program Efforts to Build Effective Critical Infrastructure Partnerships: \n\n                                       Oil and Natural Gas Subsector \n\n\n                                                    Page 2\n \n\n\x0c                   The Homeland Security Act of 2002, assigned the Department of\n                   Homeland Security (DHS) responsibility and authority to fulfill the CIKR\n                   missions defined in the National Strategy for Homeland Security.3 The\n                   legislation also included the Critical Infrastructure Information Act of\n                   2002.4 This Act protects CIKR data voluntarily submitted to the\n                   government from disclosure under the Freedom of Information Act, state\n                   and local disclosure laws, and use in civil litigation or as the basis for\n                   regulatory action.5 Pursuant to the Critical Infrastructure Information Act,\n                   DHS has developed and implemented the Protected Critical Infrastructure\n                   Information (PCII) Program, an information-protection program that\n                   enhances information sharing between the private sector and the\n                   government.\n\n                   In February 2003, the release of the National Strategy for the Physical\n                   Protection of Critical Infrastructures and Key Assets expanded on critical\n                   mission areas identified in the National Strategy for Homeland Security.\n                   It described an organizational structure designed to unify CIKR protection\n                   efforts, and established the framework for a public-private partnership. It\n                   also described specific roles and responsibilities for each partner,\n                   including DHS; lead departments and agencies; supporting federal\n                   agencies; state, tribal, and local governments, and private industry. In\n                   addition, the 2003 strategy identified key initiatives for each critical sector\n                   of the economy recognized in the National Strategy for Homeland\n                   Security, and for collaborative efforts in resolving issues crossing critical\n                   infrastructure sector and jurisdictional boundaries.\n\n                                              In December 2003, Homeland Security\n            \xe2\x80\x9cWhile it is not possible to\n            protect or eliminate the          Presidential Directive-7: Critical Infrastructure\n            vulnerability of all critical     Identification, Prioritization, and Protection,\n            infrastructure and key            established a national policy for collaborative\n            resources throughout the\n            country, strategic\n                                              efforts to protect the nation\xe2\x80\x99s CIKR. This\n            improvements in security can      directive assigned DHS the responsibility for\n            make it more difficult for        coordinating the overall national effort to enhance\n            attacks to succeed and can\n            lessen the impact of attacks\n                                              CIKR protection and leading, integrating, and\n            that may occur.\xe2\x80\x9d                  coordinating implementation efforts among federal\n            -- Homeland Security Presidential departments and agencies; state, local, tribal, and\n            Directive-7, December 17, 2003    territorial governments; and the private sector. In\n                                              addition, the directive designated certain lead\n                     federal agencies as Sector-Specific Agencies (SSA), responsible for CIKR\n\n\n3\n    Public Law 107-296 (November 25, 2002).\n \n\n4\n    Title II, Part B of The Homeland Security Act, Public Law 107-296 (November 25, 2002). \n\n5\n    5 U.S.C. \xc2\xa7 552\n \n\n\n\n\n       Protective Security Advisor Program Efforts to Build Effective Critical Infrastructure Partnerships: \n\n                                         Oil and Natural Gas Subsector \n\n\n                                                      Page 3\n \n\n\x0c                   protection activities in their designated sector. It also mandated that DHS\n                   and the SSAs coordinate with the private sector to identify, prioritize, and\n                   coordinate CIKR protection, and to facilitate information sharing about\n                   threats, vulnerabilities, incidents, potential protective measures, and best\n                   practices. The directive required DHS to produce an integrated national\n                   plan for CIKR, and to implement all systems and procedures for sharing\n                   and protecting CIKR-related information among federal, state, and local\n                   governmental entities, and the private sector.\n\n          DHS\xe2\x80\x99 CIKR Integration Efforts\n                   Founded on the public-private partnership concept, and building upon\n                   these previous CIKR policies and strategies, DHS issued the National\n                   Infrastructure Protection Plan (NIPP) in June 2006, and updated it in\n                   February 2009. The NIPP specifies a framework for increasing security\n                   and resiliency of the nation\xe2\x80\x99s CIKR through understanding and sharing\n                   information about terrorist threats and other hazards; building security\n                   partnerships to share information and implement CIKR protection\n                   programs; implementing a long-term risk management program; and\n                   maximizing efficient use of resources for CIKR protection. The NIPP\n                   defines processes, methods, tools, and relationships that security partners\n                   and stakeholders need to achieve these objectives. DHS\xe2\x80\x99 Office of\n                   Infrastructure Protection (IP) uses the NIPP framework to lead the\n                   coordinated national effort to reduce the nation\xe2\x80\x99s CIKR risk, and to work\n                   toward a safe, secure, and resilient national infrastructure based on and\n                   sustained through strong public and private partnerships.\n\n                   The NIPP describes 18 \xe2\x80\x9clogical collections of assets, systems, or networks\n                   that provide a common function to the economy, government, or society,\xe2\x80\x9d\n                   or critical sectors.6 See Figure 1 for a list of the sectors, and Appendix C\n                   for a more detailed description of each sector. The sectors encompass all\n                   aspects of the American economy and way of life: essential goods and\n                   services, governmental institutions, national defense industries and\n                   contractors, connecting data and communications, and economic and\n                   business structure services. Many of the sectors cover large, diverse\n                   industries, that, although they all provide common services to society,\n                   have different needs, approaches, vulnerabilities, and security solutions.\n                   In some cases, sectors are broken down into subsectors to address these\n                   differences.\n\n\n\n\n6\n    National Infrastructure Protection Plan, February 2009.\n\n\n\n       Protective Security Advisor Program Efforts to Build Effective Critical Infrastructure Partnerships: \n\n                                         Oil and Natural Gas Subsector \n\n\n                                                      Page 4\n \n\n\x0c            Sector-Specific Agency Roles\n                                                                       Figure 1: 18 Critical Sectors\n            DHS is the SSA for 11 of the 18 CIKR \n\n            sectors (See Figure 1), and coordinates the \n\n            protection of the seven remaining sectors. \n                      CIKR Sectors\n                                                                         Banking and Finance\n            SSAs work with DHS, through IP, to \t\n                        Chemical *\n            implement the NIPP; form partnerships \n                      Commercial Facilities *\n            with relevant federal, state, local, and \n                   Communications *\n            private sector entities; cultivate information \n             Critical Manufacturing *\n                                                                         Dams *\n            sharing and analysis; develop protective \n\n                                                                         Defense Industrial Base\n            programs and strategies; and provide \n\n                                                                         Emergency Services *\n            guidance as needed. SSAs also provide, \n                     Energy\n            arrange, or facilitate sector-specific \n                     Food and Agriculture\n            training, domestic incident management \n                     Government Facilities *\n            and preparedness activities, and \n                           Healthcare and Public Health\n            interdependency and consequence \n                            Information Technology * \n\n            analyses. Each SSA is responsible for \n                      National Monuments and Icons \n\n            developing, implementing, and maintaining \n                  Nuclear * \n\n            a sector specific plan that describes the \n                  Postal & Shipping * \n\n            sector\xe2\x80\x99s ongoing and future protection \n                     Transportation Systems *\n\n            initiatives. In addition, SSAs assess sector \n               Water\n            progress and report the results to DHS in \n                  * DHS has SSA Responsibility\n            sector-level annual reports and in periodic \n                Source: NIPP, February 2009\n            performance feedback reports. \n\n\n   Coordination, Collaboration, and Partnership\n            While DHS leads the national CIKR protection efforts, coordinating and\n            collaborating with relevant stakeholders is essential. These stakeholders\n            and partners include the companies and trade associations within the\n            private sector; public entities responsible for emergency or incident\n            management and homeland security; and federal entities that regulate or\n            partner with the private sector and state CIKR programs. The NIPP\n            presents an organizational structure known as the sector partnership model\n            that provides stakeholders with a defined process for coordinating,\n            exchanging information, joint planning, and providing information on and\n            analysis of governmental efforts and initiatives. The model includes\n            overlapping coordinating and advisory councils led by public and private\n            sector partnerships, with guidance, tools, and support from DHS.\n\n            IP collaborates with the 18 sectors mainly through the Sector Coordinating\n            Councils (SCC), which are the principal sector policy coordination and\n            planning entities. Each SCC is self-organized, self-run, self-governed, and\n            independent of the federal government. It is composed of sector\n\nProtective Security Advisor Program Efforts to Build Effective Critical Infrastructure Partnerships: \n\n                                  Oil and Natural Gas Subsector \n\n\n                                               Page 5\n \n\n\x0c                  stakeholders reflecting the sector\xe2\x80\x99s composition, including owner/operator\n                  representatives of facilities, major corporate entities, and trade\n                  associations representing companies of varying sizes. In some cases,\n                  SCCs exist for subsectors. For example, within the Energy Sector, the Oil\n                  and Natural Gas Subsector has an SCC. The SCCs provide forums for\n                  private industry to identify and implement effective information-sharing\n                  capabilities; organize and coordinate sector policies in planning and\n                  preparedness, exercises and training, public awareness, and NIPP\n                  implementation activities; integrate public sector plans with private-sector\n                  initiatives; and provide input to the government on sector research and\n                                                  development efforts and requirements.\n          Building partnerships represents the \n\n          foundation of the national CIKR \n        Stakeholders also interact through a variety\n          protection effort. These partnerships\n          provide a framework to:                  of other councils. For example, the\n           \xe2\x80\xa2\t Exchange ideas, approaches, and      Government Coordinating Council (GCC) is\n              best practices;                      the public sector counterpart to the SCC and\n           \xe2\x80\xa2\t Facilitate security planning and     is co-chaired by SSA and IP leadership.7\n              resource allocation;\n                                                   The Critical Infrastructure Partnership\n           \xe2\x80\xa2\t Establish effective coordinating\n              structures among partners;           Advisory Council affords all of the SCCs\n           \xe2\x80\xa2\t Enhance coordination with the        and GCCs a forum to engage in joint\n              international community; and         discussions and activities that have national,\n           \xe2\x80\xa2\t Build public awareness.              all-sector effect; and through the CIKR\n          -- NIPP, February 2009                   Cross-Sector Council SCC leaders explore\n                                                   cross-sector and interdependency matters.\n                    The Government Cross-Sector Council, which includes the NIPP Federal\n                    Senior Leadership Council and the State, Local, Tribal, and Territorial\n                    Government Coordinating Council, facilitates communication,\n                    collaboration, and coordination among the GCCs and other federal and\n                    non-federal public sector entities.8 In addition, the Regional Consortium\n                    Coordinating Council provides a forum for those with regionally based\n                    interests in CIKR protection, involving multi-jurisdictional, cross-sector,\n                    and public-private sector efforts focused on the preparedness, protection,\n                    response, and recovery of infrastructure and the associated economies\n                    within a defined population or geographic area.9\n\n7\n  IP\'s Sector-Specific Agency Executive Management Office carries out SSA responsibilities for six of the\n18 CIKR sectors: Chemical; Commercial Facilities; Critical Manufacturing; Dams; Emergency Services;\nand Nuclear Reactors, Materials, and Waste.\n8\n  The NIPP Federal Senior Leadership Council consists of leadership representatives from the SSAs as\nwell as other federal agencies with interests relevant to CIKR protection and resiliency. The State, Local,\nTribal, and Territorial Government Coordinating Council consists of homeland security directors or their\nequivalents from state, local, tribal, and territorial governments.\n9\n  Members of the Regional Consortium Coordinating Council include regional partnerships, groupings,\nand governance bodies. Because coordination across government jurisdictions is crucial, the Chair of the\nState, Local, Tribal, and Territorial Government Coordinating Council is also a standing member.\n\n\n     Protective Security Advisor Program Efforts to Build Effective Critical Infrastructure Partnerships: \n\n                                       Oil and Natural Gas Subsector \n\n\n                                                    Page 6\n \n\n\x0c         PSA Program Overview\n                  IP\xe2\x80\x99s mission is to lead the national effort to mitigate terrorism risk to,\n                  strengthen the protection of, and enhance the all-hazard resilience of the\n                  Nation\'s critical infrastructure. Within IP, the Protective Security\n                  Coordination Division (PSCD) is responsible for assessing vulnerabilities\n                  and consequences; developing, implementing, and providing national\n                  coordination for protective programs; and facilitating CIKR response and\n                  recovery operations in an all-hazards environment to reduce risk to the\n                  nation\xe2\x80\x99s CIKR. The Division\xe2\x80\x99s Field Operations Branch manages the\n                  Protective Security Advisor (PSA) Program to assist PSCD in carrying out\n                  these responsibilities.\n\n                  The PSA Program supports DHS\xe2\x80\x99 CIKR efforts by encouraging state,\n                  local, tribal, and territorial governments, and private CIKR\n                  owner/operators to participate and collaborate within the NIPP risk\n                  management framework. The PSAs are DHS\xe2\x80\x99 on-site critical\n                  infrastructure and security specialists assigned at the local level\n                  throughout the United States. Through the coordination of vulnerability\n                  assessments, incident support, and information sharing, PSAs seek to\n                  improve the security posture of the stakeholders.\n\n                  The program began as a pilot in 2004, with one PSA who met with state\n                  Homeland Security Advisors and other stakeholders to determine needs\n                  and expectations for DHS field-level CIKR protection specialists. Based\n                  on the response from those meetings, the program added PSAs in early\n                  2005 and developed further. From FY 2005 to FY 2010, the program\n                  increased from 56 to 93 PSAs. PSAs are deployed to 70 districts, and the\n                  program has a budget of more than $12 million for FY 2010.10 As of\n                  September 2010, the program had at least one PSA in all 50 states and\n                  Puerto Rico, eight IP Regional Directors, and six PSA positions at\n                  headquarters.11\n\n                  The PSA Program has two geographic sections, the East and West, each\n                  managed by one Section Chief. Both sections have four designated\n                  regions, and one IP Regional Director manages each region. IP Regional\n                  Directors report to their respective Section Chief and manage PSA\n                  activities in their region. Figure 2 depicts the PSA and IP Regional\n\n\n10\n   Districts include a combination of entire states, portions of states, and major metropolitan areas. Several\nPSAs share duties in a number of large cities, as needed to provide adequate coverage for the distribution of\nCIKR, while other PSAs cover the remaining portions of the state.\n11\n   IP Regional Directors function as Supervisory PSAs and are included in the cadre of 93 PSAs.\n\n\n\n     Protective Security Advisor Program Efforts to Build Effective Critical Infrastructure Partnerships: \n\n                                       Oil and Natural Gas Subsector \n\n\n                                                    Page 7\n \n\n\x0c                 Director national distribution as of September 2010. An organization\n                 chart showing PSA staff distribution is in Appendix D.\n\nFigure 2: Map of PSA and IP Regional Director Distribution\n\n\n\n\n                                              Source: OIG analysis of information provided by IP, September 2010.\n\n\n\n                 Stakeholders expect PSAs to know intimately the districts they serve. As\n                 such, program-hiring officials look for prospective candidates with\n                 specific background, experience, and relationships already established in\n                 particular geographic areas. Current PSAs average more than 20 years\n                 experience in military, counter-terrorism, or law enforcement, are\n                 specialists in security with critical infrastructure experience and\n                 knowledge, and are not necessarily specialists in any particular sector. As\n                 PSAs work with stakeholders in all 18 sectors, the position requires a\n                 thorough understanding of programs that affect critical infrastructure\n                 within DHS and in other agencies, or a significant foundation upon which\n                 to build such knowledge.\n\n                 PSA training requirements are structured and delineated in a multi-year\n                 Learning Roadmap. The Roadmap defines five levels of advancement and\n                 achievement for PSAs, each with specific required training and optional\n                 areas of study. It includes required basic knowledge and skills, such as\n                 relevant policies, tools, and programs, and progressively builds on that\n                 knowledge base to develop specializations and areas of expertise. The\n                 training includes courses and instruction developed internally by IP, as\n                 well as from a variety of federal agencies and private organizations,\n\n\n     Protective Security Advisor Program Efforts to Build Effective Critical Infrastructure Partnerships: \n\n                                       Oil and Natural Gas Subsector \n\n\n                                                    Page 8\n\n\x0c            including DHS\xe2\x80\x99 Federal Emergency Management Agency (FEMA), DHS\xe2\x80\x99\n            Federal Law Enforcement Training Center, and ASIS International.\n\n            The program also maintains membership for all PSAs in ASIS\n            International, an international organization for security professionals, and\n            encourages PSAs to pursue professional certifications ASIS International\n            offers, such as the Certified Protection Professional and Physical Security\n            Professional.\n\n            PSAs function as the department\xe2\x80\x99s field liaisons and coordinators to\n            support critical infrastructure protection efforts. These efforts involve\n            collaborating with private industry, state and local governments, and\n            federal partners. PSAs are building and maintaining information-sharing\n            partnerships; coordinating or performing site vulnerability assessments\n            and surveys; and assisting during incidents. After establishing a\n            relationship with a stakeholder, the PSA functions as a liaison between\n            that organization and IP, and often facilitates access to other DHS\n            components, or to state and regional agencies. Although the PSAs build\n            relationships with stakeholders in all sectors, a PSA may work primarily in\n            the sectors whose infrastructure is the dominant concern for the state,\n            geographic area, or district they serve.\n\n            Tools and Resources\n\n            The PSA Program has a variety of technological, human, and physical\n            resources that enable PSAs to respond to and interact with geographically\n            dispersed stakeholders across the nation and program officials in\n            headquarters. For example, the PSAs use a web-based, central data\n            warehouse developed to track their activities as well as maintain a\n            knowledge base on the nation\xe2\x80\x99s critical infrastructure. This system\n            maintains the PSAs\xe2\x80\x99 schedules and activities, which allows program\n            officials to respond timely to questions from stakeholders and DHS\n            leadership about ongoing fieldwork or work on certain CIKR efforts.\n            PSAs can quickly upload incident status updates, report on affected\n            facilities, and assist in prioritizing efforts based on the facility\xe2\x80\x99s\n            capabilities and its local, regional, and national criticality.\n\n            Program leadership attributes much of the PSA Program success to the\n            centralized support provided by its Duty Desk. The Duty Desk, located at\n            headquarters, provides 24-hour support to the PSAs and answers both\n            administrative and technical questions. The Duty Desk also tracks and\n            assigns tasks and information requests from DHS leadership and other\n            stakeholders. In addition, the Duty Desk coordinates requests to provide\n            speakers at various events or locates appropriate DHS officials outside of\n            IP.\n\nProtective Security Advisor Program Efforts to Build Effective Critical Infrastructure Partnerships: \n\n                                  Oil and Natural Gas Subsector \n\n\n                                               Page 9\n\n\x0c            The Field Operations Branch\xe2\x80\x99s Field Support Section within PSCD\n            coordinates headquarters support for the PSAs. This includes\n            administrative and project management assistance, property management\n            support coordination, IT support coordination, logistics, and data analysis\n            and reporting. Because of the PSAs\xe2\x80\x99 extensive travel, the branch\n            dedicates two Field Support Team staff to organize travel and maintain\n            travel records to support PSAs.\n\n   Oil and Natural Gas Subsector\n            The Energy Sector consists of thousands of geographically dispersed\n            electricity, oil (petroleum), and natural gas assets. A myriad of systems\n            and networks in most of the nation\xe2\x80\x99s states and territories connect them. A\n            wide variety of public and private entities own, operate, and regulate these\n            assets. Because the activities and assets supporting electricity resources\n            infrastructure differ significantly from those for oil and natural gas in\n            extraction/generation, production, transport, distribution, and storage, each\n            is separated into subsectors within the Energy Sector. The Department of\n            Energy (DOE) is the SSA for the Energy Sector and its Oil and Natural\n            Gas and Electricity Subsectors.\n\n            The oil and natural gas industry is an example of a CIKR subsector that\n            engages PSAs throughout the nation and requires coordination among\n            many entities. The Oil\n            and Natural Gas                U.S. Oil and Natural Gas Statistics [January 2010]\n            Subsector is functionally      Number of Operable Refineries ............................ 150 \n\n            diverse, consisting of         Oil, Natural Gas Pipeline Mileage .................. 2,534,000\n \n\n            pipelines, control             Oil, Natural Gas Imports [barrels/day] ........... 10,487,000\n \n\n            systems, above- and\n                                           Sources: Energy Information Administration;\n            below-ground storage \t         Pipeline and Hazardous Materials Safety Administration,\n                                           Department of Transportation\n            facilities, refineries,\n            processing plants, and\n            marine ports, as well as offshore and onshore fields and facilities. To\n            secure and monitor its production cycle, the industry relies on a series of\n            complex systems that involve physical and virtual capabilities for\n            processing, refining, storing, and distributing or transporting fuel products.\n            As an older and heavily regulated industry, the Oil and Natural Gas\n            Subsector has mature mandatory and voluntary security policies and\n            processes, which it implements independently, through industry\n            associations, and with governmental oversight.\n\n\n\n\nProtective Security Advisor Program Efforts to Build Effective Critical Infrastructure Partnerships: \n\n                                  Oil and Natural Gas Subsector \n\n\n                                              Page 10\n \n\n\x0c            Oil and Natural Gas Subsector Stakeholders\n\n            Within the Oil and Natural Gas Subsector, public-private partnerships\n            address security issues of concern to the subsector, and share information\n            on threats, vulnerabilities, and protective measures. The Oil and Natural\n            Gas SCC represents private sector security partners. The SCC\n            membership includes 23 trade associations and represents approximately\n            98% of the industry\xe2\x80\x99s owner/operators. A list of Oil and Natural Gas SCC\n            members is in Appendix F.\n\n            The Oil and Natural Gas Subsector relies heavily on Transportation\n            Systems Sector infrastructure, including pipelines, freight rail, and\n            maritime facilities. Because of these interdependencies, the Oil and\n            Natural Gas SCC established the Pipeline Working Group, which also acts\n            as a Pipeline SCC within the Transportation Systems SCC. This group\n            allows the two SCCs to coordinate on oil and natural gas transportation\n            security issues, and reduces duplicative meetings and efforts.\n\n            In addition, many energy-related facilities and infrastructure also operate\n            as chemical or hazardous materials facilities, creating interdependencies\n            with the Chemical Sector. The Oil and Natural Gas SCC and Chemical\n            SCC have formed joint working groups to discuss and make\n            recommendations on issues of mutual concern, to include emergency\n            management and metrics.\n\n            There are also numerous national and regional associations and working\n            groups with state and local official participation. These organizations\n            coordinate activities and emergency response, and develop policies that\n            affect oil and natural gas security. Further, private industry stakeholders\n            have formed Facility Security Officer working groups, the Energy\n            Security Council, and Internal Security working groups. Through these\n            groups, members are able to network and share best security practices to\n            enhance the overall security posture of the industry. In addition, some\n            groups often invite federal and state partners, such as the Federal Bureau\n            of Investigation and state Homeland Security Agencies, to participate.\n\n            Regulatory organizations with roles in the various aspects of the oil and\n            natural gas industry cover municipalities, cities, states, regions and federal\n            offices, commissions, agencies, and departments. The industry\xe2\x80\x99s many\n            diverse facilities and commodities are separately regulated and have\n            multiple stakeholders and trade associations. In addition, governmental\n            agencies at the state, local, tribal, and federal levels are responsible for\n            emergency planning, incident management, homeland security, and for\n            preventing and responding to energy supply, demand, and pricing\n            concerns.\n\nProtective Security Advisor Program Efforts to Build Effective Critical Infrastructure Partnerships: \n\n                                  Oil and Natural Gas Subsector \n\n\n                                              Page 11\n\n\x0c                   The Department of Transportation\xe2\x80\x99s Pipeline and Hazardous Materials\n                   Safety Administration and the Pipeline Security Division of DHS\xe2\x80\x99\n                   Transportation Security Administration\xe2\x80\x99s (TSA) Office of Transportation\n                   Sector Network Management are responsible for the operational safety\n                   and security of the oil and natural gas pipelines used to transport raw and\n                   refined fuel products. The Pipeline and Hazardous Materials Safety\n                   Administration develops uniform standards and administers the national\n                   regulatory program to assure the safety of pipeline transport of natural gas,\n                   petroleum, and other liquid hazardous materials. TSA\xe2\x80\x99s Pipeline Security\n                   Division endeavors to enhance the security preparedness of the nation\xe2\x80\x99s\n                   pipeline systems through security programs; assessments, reviews, and\n                   analysis; and sharing industry best practices and lessons learned. The two\n                   agencies executed a formal agreement in August 2006 to delineate lines of\n                   authority and responsibility; and to establish guidelines for cooperation,\n                   collaboration, and information sharing to ensure coordinated, consistent,\n                   and effective activities, as well as no duplication of effort.\n\n                   The U.S. Coast Guard regulates the ports, vessels, and waterfront facilities\n                   used by the Oil and Natural Gas Subsector to ship or receive bulk\n                   shipments. These ports, vessels, and facilities must meet the requirements\n                   for security assessments and security plans implemented because of the\n                   Maritime Transportation Security Act of 2002.12 This Act established a\n                   consistent national security program by requiring port, facility, and vessel\n                   assessments and plans that include such measures as screening and\n                   personnel identification procedures, security patrols, access control, and\n                   collaboration through area committees. The U.S. Coast Guard\n                   promulgates and enforces regulations, policies, and directives\n                   implementing the Act\xe2\x80\x99s provisions; reviews security and incident response\n                   plans; conducts assessments; and ensures alignment with existing\n                   domestic maritime regulations and directives.\n\n                   We reviewed how PSA Program operations and activities support DHS\xe2\x80\x99\n                   mission to identify, prioritize, assess, and protect the nation\xe2\x80\x99s CIKR in the\n                   Oil and Natural Gas Subsector of the Energy Sector. We also reviewed\n                   the program\xe2\x80\x99s role in coordinating with subsector stakeholders to help\n                   strengthen critical infrastructure protection capabilities, identify\n                   vulnerabilities, and reduce risks.\n\n\n\n\n12\n     Public Law 107-295 (November 25, 2002).\n\n\n\n       Protective Security Advisor Program Efforts to Build Effective Critical Infrastructure Partnerships: \n\n                                         Oil and Natural Gas Subsector \n\n\n                                                     Page 12\n \n\n\x0cResults of Review\n               PSAs develop relationships with private sector stakeholders to encourage\n               mitigation and risk reduction actions at critical sites and facilities. PSAs\n               also build partnerships with public sector stakeholders in state and local\n               CIKR programs to assist and facilitate implementing the NIPP, including\n               identifying, prioritizing, assessing, and securing public and private sector\n               critical sites and facilities. Although PSA activities align with DHS\xe2\x80\x99\n               mission and the partnership model stated in the NIPP, there is no clearly\n               defined mission statement directing PSA Program activities, and PSAs are\n               unable to articulate effectively the program\xe2\x80\x99s full value to public and\n               private stakeholders. Unclear goals and objectives are also causing\n               tension within DHS and with other governmental partners, as PSA\n               activities and relationships appear to overlap, duplicate, or conflict with\n               critical protection efforts of other entities. Lastly, the program needs to\n               develop metrics properly suited to measuring outcomes achieved, while\n               taking into account the diversity of each sector and jurisdiction.\n\n      PSAs Develop Partnerships to Further Risk Reduction Efforts\n               PSAs develop relationships with private sector stakeholders to encourage\n               mitigation and risk reduction actions at critical sites and facilities. We\n               separate the evolution of these relationships into four distinct phases\xe2\x80\x94\n               introduction, interaction, assessment, and change\xe2\x80\x94and public and private\n               stakeholders identified different benefits and some challenges at each\n               phase. The PSA Program can improve the value realized in each phase by\n               defining and communicating a clearer results-oriented mission and by\n               improving its coordination and communication efforts with sector\n               partners.\n\n               From our interviews with a wide variety of stakeholders, PSAs develop\n               stakeholder relationships in progression to further risk reduction efforts,\n               and the evolution involves initial contact and introduction; increased\n               engagement and interaction; assessments; and ultimately effecting change\n               through stakeholders voluntarily implementing enhanced security\n               measures. Figure 3 describes this progression. Differences in states,\n               facilities, and sectors influence how quickly a PSA can progress\n               relationships from the introduction phase, to the interaction and\n               assessment phases, and eventually effect change.\n\n\n\n\n   Protective Security Advisor Program Efforts to Build Effective Critical Infrastructure Partnerships: \n\n                                     Oil and Natural Gas Subsector \n\n\n                                                 Page 13\n \n\n\x0cFigure 3: PSA Partnerships to Risk Reduction\n\n\n\n\n                                                                                          Source: OIG Analysis\n\n\n\n               During the introduction phase, the PSA makes contact with stakeholders,\n               either independently or through other established contacts. The PSA is\n               building a network of contacts across sectors, companies, and public\n               agencies by working directly with state and local government officials;\n               conducting outreach calls and visits to agencies and facilities; attending\n               meetings of regional, state, local, community, and industry organizations;\n               and delivering briefings to introduce and advertise the PSA Program and\n               DHS CIKR efforts. Stakeholders become aware that the PSA is available\n               as a security resource, and DHS establishes initial stakeholder\n               connections, creating an environment for future partnership.\n\n               In the interaction phase, stakeholders, both public and private, use the PSA\n               as a resource. The PSA and stakeholders communicate frequently on\n               training opportunities and threat information as allowable. Stakeholders\n               introduce the PSA to other contacts and invite participation in meetings\n               and exercises. Stakeholders communicate PSA capabilities and resources\n               available, further developing the PSA\xe2\x80\x99s network. PSAs assist stakeholders\n               in making valuable contacts with other federal, public, and private CIKR\n               partners. The PSA is also an integral part of incident and event\n               management. DHS receives additional benefits because the PSA can\n               contact stakeholders for immediate situational awareness during incidents.\n               DHS also gains state and local insight on the criticality of certain assets to\n               specific regions and the Nation.\n\n\n\n\n   Protective Security Advisor Program Efforts to Build Effective Critical Infrastructure Partnerships: \n\n                                     Oil and Natural Gas Subsector \n\n\n                                                 Page 14\n \n\n\x0c                  The assessment phase involves the PSA conducting or coordinating\n                  vulnerability assessments. These assessments include preparations for\n                  Special Security Events and incident response.13 Both public and private\n                  stakeholders gain third party insight on the security posture of sites,\n                  facilities, and communities; empowering stakeholders to implement\n                  changes. DHS gains additional insight on national risk and\n                  interdependencies, and progresses toward its ultimate goal of risk\n                  reduction.\n\n                  The change phase is the point where the stakeholder voluntarily\n                  implements enhancements to its security posture. CIKR owner/operators\n                  at the corporate and facility levels address vulnerabilities identified\n                  through PSA assessments, thereby reducing risks and mitigating threats.\n\n         Stakeholders Consider PSAs an Effective Resource\n                  We interviewed public and private stakeholders in the oil and natural gas\n                  industry, as well as various state and local CIKR protection partners.\n                  Regardless of the phase, stakeholders described relationships with\n                  designated PSAs and services provided as valuable.\n\n                                          Phase One: Introduction\n\n                                        Many PSAs described stakeholder introductions as\n                                        crucial to developing a foundation for relationship\n                                        progression, and rely on these relationships. These\n                                        relationships allow PSAs to provide services, collect\n                                        data on CIKR protective efforts, expand networks, and\n                                        get information quickly to DHS senior leadership\n                                        during an incident or event. Although a number of\n                                        PSAs had established contacts and ties to communities\n                                        before joining the program, PSAs build new\n                                        relationships. In many cases, a PSA\xe2\x80\x99s credentials,\n                                        experience, approach, and work ethic help establish\n                                        common ground with facility security managers. To\n                           gain trust, acceptance, and to be of value, stakeholders said PSAs\n                           need a humble demeanor, an eagerness to learn the industry, and\n                           should be open and responsive. Stakeholders considered a PSA\n                           most effective when willing to assist, while not being demanding\n                           or disrespectful of the stakeholder\xe2\x80\x99s time.\n\n\n13\n   Special Security Event is a DHS designation for an event that requires federal resources and unique\nsecurity plans and training because of anticipated dignitary attendance, event size, and event significance.\n\n\n\n     Protective Security Advisor Program Efforts to Build Effective Critical Infrastructure Partnerships: \n\n                                       Oil and Natural Gas Subsector \n\n\n                                                   Page 15\n \n\n\x0c                      Most stakeholders said a PSA with law enforcement and military\n                      background is critical in establishing common ground with security\n                      managers, as facility security managers often have similar\n                      experience. Stakeholders said PSAs do not need to be sector\n                      experts, but need security expertise, an awareness of all pertinent\n                      facilities, an understanding of the area\xe2\x80\x99s geography, and a basic\n                      understanding of a facility\xe2\x80\x99s significance to the region and Nation.\n\n                      Smaller Companies and Less Mature Sectors May Develop\n                      Relationships More Rapidly\n\n                      The majority of oil and natural gas industry owner/operators have\n                      mature security procedures, with security personnel and operators\n                      who have been securing facilities around the world for years. As a\n                      result, the industry does not typically ask for assistance, which\n                      makes transitioning to further relationship phases more\n                      challenging. Some industry representatives suggested that because\n                      so many larger oil and natural gas companies have the financial\n                      resources and have been building their security measures for years,\n                      smaller companies as well as sectors less accustomed to\n                      infrastructure protection have a greater need for PSA services. In\n                      some cases, one person might manage the infrastructure protection\n                      at a facility, and starting and maintaining a more extensive\n                      infrastructure protection program could be cost and resource\n                      prohibitive. The free services the PSA advertises during the\n                      introduction phase might be more attractive to certain facilities,\n                      and those relationships may progress more rapidly.\n\n                                     Phase Two: Interaction\n\n                                   The interaction phase was most often described by\n                                   stakeholders as important, since it provides access to\n                                   no-cost services that help improve stakeholder security\n                                   posture and capabilities without initial capital\n                                   investment. Immediate access to CIKR or related\n                                   information, intelligence, threats, training, and industry\n                                   standards, is available through the PSA. PSAs also\n                                   connect stakeholders to services from other DHS\n                                   components, thereby serving as a one-stop shop. DHS\n                                   gains increased engagement with critical infrastructure\n                                   owner/operators, according to the NIPP concepts of\n                                   partnership and collaboration. This improves the\n                      communication and information sharing necessary for national\n                      infrastructure protection.\n\nProtective Security Advisor Program Efforts to Build Effective Critical Infrastructure Partnerships: \n\n                                  Oil and Natural Gas Subsector \n\n\n                                              Page 16\n\n\x0c                      In addition, a number of stakeholders said there are not enough\n                      PSAs nationwide, citing reduced personal attention. Although\n                      most stakeholders lauded their PSAs\xe2\x80\x99 responsiveness, some said\n                      PSAs are not always available and increased demands on the PSAs\n                      without an increase in the PSA cadre could negatively affect PSA\n                      interaction phase activities. Although developing a relationship\n                      with a PSA was essential to trusting the PSA Program as a whole,\n                      stakeholders said their relationship was with the program and not\n                      necessarily with a particular PSA. Should a current PSA leave,\n                      stakeholders recommend a period of overlap between the current\n                      PSA and the new PSA to help ensure a smooth transition. In\n                      response to the report, PSA Program officials responded that this\n                      practice is not possible under current federal hiring processes and\n                      Office of Personnel Management regulations.\n\n                      To address transition issues, however, the PSA Program has\n                      established procedures to mitigate potential gaps in coverage\n                      experienced by a departing PSA. For example, when a PSA\n                      leaves, the program directs another PSA or multiple PSAs from\n                      neighboring districts to assume responsibility for the affected\n                      district. The program introduces new PSAs to stakeholders prior\n                      to a PSA\xe2\x80\x99s departure to familiarize stakeholders with the new PSA,\n                      formalize responsibility transition, and ensure continuity of effort.\n\n                      PSAs Assist Stakeholders to Ensure Staffs Are Adequately Trained\n\n                      Stakeholders often ask PSAs about training opportunities for the\n                      private sector and state and local officials. In addition to online\n                      courses on topics such as community hurricane preparedness,\n                      available through FEMA, IP offers training courses targeted to\n                      security managers, and can send teams to facilities to perform\n                      these trainings at the stakeholders\xe2\x80\x99 request. Examples of the\n                      security training offered include surveillance detection courses and\n                      private sector counterterrorism awareness workshops. As the\n                      federal government funds those resources, the educational\n                      opportunities promoted and coordinated through PSAs are\n                      advantageous to stakeholders.\n\n                      Some industry stakeholders receive regular updates on educational\n                      opportunities from their PSAs, and have participated in\n                      recommended courses, conferences, and seminars. As funded or\n                      inexpensive targeted training for industry professionals has\n                      become more difficult to find, having PSAs notify stakeholders of\n                      any private industry-focused security training opportunities is\n                      useful. Some stakeholders, however, expressed frustration that\n\nProtective Security Advisor Program Efforts to Build Effective Critical Infrastructure Partnerships: \n\n                                  Oil and Natural Gas Subsector \n\n\n                                              Page 17\n\n\x0c                           private security managers do not have access to potentially\n                           beneficial training courses only available to governmental\n                           professionals.\n\n                           PSAs Play a Significant Role in Incident and Event Management\n\n                           For incidents and national profile security events, PSAs provide\n                           support to local, state, and federal emergency management teams.\n                           They also provide timely status information to DHS\xe2\x80\x99 National\n                           Infrastructure Coordinating Center (NICC) and IP leadership\n                           concerning CIKR facilities.14 In addition, PSAs coordinate with\n                           multiple entities to help private industry get facilities back online\n                           quickly after an incident. PSAs are often the first DHS employees\n                           on the scene in response to an incident. In combination with the\n                           relationships built before an incident, PSAs can provide rapid\n                           situational awareness to DHS and IP officials, and serve as an\n                           information coordinator and needs liaison with local, state, federal,\n                           and private sector stakeholders after an incident.\n\n                           PSAs have access to state and local official distribution lists to\n                           allow for immediate response, have a collaborative relationship\n                           with FEMA on incident response issues, and provide assistance\n                           when requested. When an incident occurs or is imminent, the\n                           state\xe2\x80\x99s Emergency Operations Center generally manages the\n                           incident response, and PSAs report to the center and deploy as\n                           necessary. From these locations, PSAs leverage their relationships\n                           with private industry stakeholders to provide information to the\n                           state\xe2\x80\x99s Emergency Operations Center, the NICC, and IP leadership\n                           on the status of specific critical facilities. PSAs are also able to\n                           advise state and local stakeholders on specific facility\n                           vulnerabilities, and help determine priorities for protection or\n                           deploying resources.\n\n                           For example, a number of stakeholders praised the PSAs\xe2\x80\x99 incident\n                           management activities, especially during recovery efforts for\n                           Hurricanes Ike and Gustav in 2008. Stakeholders said PSAs\n                           served as a direct line to funnel CIKR information and updates to\n                           DHS and the NICC, and as a single point of contact for private\n                           industry\xe2\x80\x99s CIKR related needs. PSAs helped private sector\n                           facilities restore operations and leveraged relationships with local\n\n14\n   The NICC is a 24-hour watch/operations center that maintains operational, situational, and incident\nawareness of the nation\xe2\x80\x99s CIKR sectors. The center provides for centralized coordination and exchange of\nthreat, alert, warning, incident, event, and other relevant information among the public and private sectors.\n\n\n\n     Protective Security Advisor Program Efforts to Build Effective Critical Infrastructure Partnerships: \n\n                                       Oil and Natural Gas Subsector \n\n\n                                                   Page 18\n \n\n\x0c                      law enforcement officials, the state, and other agencies to facilitate\n                      private industry employee re-entry to disaster-affected areas.\n\n                      Stakeholders Value PSA Information Sharing Activities\n\n                      PSAs facilitate information sharing daily; program officials\n                      estimate that information sharing is 50% to 60% of a PSA\xe2\x80\x99s job.\n                      Across the Nation, PSAs participate in at least 52 different Oil and\n                      Natural Gas Subsector security working groups and councils. To\n                      ensure PSAs maintain relationships with as many stakeholder\n                      groups as possible, some work with state homeland security and\n                      emergency management officials to attend meetings, taking each\n                      other\xe2\x80\x99s messages to the meetings, and then briefing one another on\n                      the proceedings.\n\n                      Upon request, PSAs also provide private industry and some state\n                      and local officials with threat information. As each relationship is\n                      different, a PSA might automatically provide one stakeholder with\n                      any relevant threat information, while waiting for a request from\n                      another. When permissible, PSAs inform facilities how to\n                      determine whether they are under surveillance, how to identify the\n                      signs of other dangerous activities, and how the facility can\n                      employ protection measures. In addition, PSAs share any daily\n                      publicly available information, in some cases extracting and\n                      sharing only the protective information of interest to a security\n                      manager based on current events, the site, or location.\n\n                      Stakeholders use the PSAs to obtain information on a variety of\n                      topics, including proposed legislation and best practices. In some\n                      instances, other entities contact a facility for information, and the\n                      facility owner/operators call PSAs to vet the requesters. Some\n                      stakeholders use the PSAs to get information on an event occurring\n                      in another area where they may have facilities. A common\n                      complaint, however, was that the information sharing was\n                      sometimes one-sided, and sometimes not expedient. In addition,\n                      some stakeholders note a considerable decline in information\n                      sharing since the program\xe2\x80\x99s inception, however, it was unclear\n                      whether this was a result of modified policies within IP or reduced\n                      information available to PSAs.\n\n                      Stakeholder Information Sharing Has Improved, but Concerns\n                      Remain\n\n                      The background, approach, and interactions PSAs have with\n                      industry stakeholders are significant in determining whether\n\nProtective Security Advisor Program Efforts to Build Effective Critical Infrastructure Partnerships: \n\n                                  Oil and Natural Gas Subsector \n\n\n                                              Page 19\n\n\x0c                      stakeholders are willing to work with the program. However,\n                      another indispensible factor to information sharing is building trust\n                      in the PCII Program. A PCII designation protects business-\n                      sensitive, security related facility, company, and industry\n                      documents, records, or other data voluntarily submitted to DHS\n                      from disclosure. Initially, most sectors and subsectors classified\n                      CIKR reports, which hindered information sharing and best\n                      practices exchanges among the stakeholders. Because of a PCII\n                      designation, PSAs can disseminate general, sanitized reports about\n                      sector and subsector issues as For Official Use Only, while\n                      protecting any specific facility information and data provided by\n                      the private sector from disclosure.\n\n                      Private industry stakeholders and associations suggested that, in\n                      combination with the relationships built with their PSAs, the PCII\n                      Program helps facilitate the flow of information in an industry\n                      known for a reluctance to share information. In addition, the PSAs\n                      regularly attend many of the same meetings and working groups of\n                      stakeholders, and share contacts with the private industry, and vice\n                      versa. Industry stakeholders said that this constant interaction and\n                      exposure has increased trust and fostered relationships. Because of\n                      this, facilities grant PSAs access more quickly to help identify\n                      vulnerabilities.\n\n                      For other stakeholders, however, concerns remain about divulging\n                      too much information. A common concern voiced was an\n                      uncertainty about what DHS was doing with data it collected\n                      during facility assessments, and whether DHS could use this\n                      information against the stakeholders in the future. Despite\n                      protections guaranteed by the PCII Program, stakeholders still\n                      have data use and storage concerns.\n\n                      PSAs Support State and Local Government CIKR Programs, But\n                      Better Understanding of Government Programs is Necessary\n\n                      PSAs bring additional CIKR-dedicated human and technological\n                      resources to state and local governments, especially during\n                      incident response. In many states, officials describe PSAs as a part\n                      of their team and include PSAs in state agency meetings. Some\n                      state partners use PSAs to help bridge relationship gaps between\n                      them and private industry. Because of the current economic\n                      environment and diminished state and local resources, some states\n                      use PSAs more to assess and strengthen CIKR protection activities.\n                      However, most state officials we spoke with were concerned that\n\n\nProtective Security Advisor Program Efforts to Build Effective Critical Infrastructure Partnerships: \n\n                                  Oil and Natural Gas Subsector \n\n\n                                              Page 20\n\n\x0c                            PSAs cannot currently provide enough support to compile CIKR\n                            lists for state use and for submission to DHS.\n\n                            In most states, the partnership between the PSA and the state\xe2\x80\x99s\n                            CIKR program focuses on the owner/operators, with the state and\n                            PSAs presenting a consistent message to facilities. Working as a\n                            team alleviates additional burdens on facilities; companies are\n                            more receptive to this approach, often allowing the team to share\n                            security-related information.\n\n                            State officials said they want PSAs to have a better understanding\n                            of all state and federal programs that relate to the Oil and Natural\n                            Gas Subsector, not just those within IP or DHS. It would be more\n                            useful for PSAs to know what the industry already does with other\n                            assessments, inspections, studies, or evaluations before requesting\n                            potentially duplicative information and data.\n\n                            Some state officials also expressed the need for better\n                            communication between DHS headquarters and PSAs, specifically\n                            regarding the submission of CIKR for DHS\xe2\x80\x99 critical asset lists.\n                            While the PSAs offer states assistance in compiling the lists, the\n                            PSAs are often unable to explain the criteria or identify an IP\n                            representative who can explain why some assets are included on\n                            the Level 1/Level 2 list and why some are not.15 Concerning\n                            additional support needed from PSAs, some states want to use the\n                            PSAs more for state CIKR data call submissions to DHS and for\n                            asset prioritization. In response to the report, PSA Program\n                            officials disputed this assertion and indicated it is a\n                            misunderstanding of the PSAs\xe2\x80\x99 role in the CIKR data call.\n\n                            The PSAs\xe2\x80\x99 role is to assist states in compiling the lists by helping\n                            state personnel identify infrastructure critical to that state, and to\n                            verify facility data, e.g., physical address, geospatial coordinates,\n                            name. PSAs are not involved in establishing criteria, or the\n                            determinations to include or not include facilities on the final\n                            prioritized list of critical infrastructure, as this is the function of\n                            IP\xe2\x80\x99s Infrastructure Analysis and Strategy Division.\n\n\n15\n   Level 1/Level 2 (formerly called Tier 1/Tier 2) ranking is part of DHS\xe2\x80\x99 National CIKR Prioritization\nProgram, identifying nationally significant critical assets and systems. This annual identification relies\nheavily on the insights and knowledge of a wide array of public and private sector security partners. DHS\nuses the rankings to determine eligibility and implementation of certain CIKR protection programs and\ninitiatives, such as grant programs, buffer zone protection efforts, facility assessments, training, and other\nactivities. The Level 1/Level 2 list is classified.\n\n\n\n      Protective Security Advisor Program Efforts to Build Effective Critical Infrastructure Partnerships: \n\n                                        Oil and Natural Gas Subsector \n\n\n                                                    Page 21\n \n\n\x0c                      Some state officials thought it might be worthwhile to have a PSA\n                      that focused on certain sectors and for more PSAs to be involved in\n                      smaller events or incidents that do not reach the level for federal\n                      assistance. Other state officials suggested a PSA working strictly\n                      on state legislature issues and located in the state\xe2\x80\x99s capitol would\n                      be worthwhile.\n\n                                     Phase Three: Assessment\n\n                                   Vulnerability and risk assessments performed for\n                                   stakeholders by DHS components identify security\n                                   weakness areas and possible options for critical\n                                   infrastructure security improvements. This guidance is\n                                   extremely valuable as private sector stakeholders and\n                                   state and local jurisdictions aim to minimize and limit\n                                   expenditures. Developing stakeholder cooperation and\n                                   collaboration is crucial to DHS building the national\n                                   database of risk areas and inventory of critical\n                                   infrastructure. It also provides DHS with information\n                                   necessary to plan for the use of resources such as grant\n                                   programs, research and development, exercises, and\n                      additional training course development. Any specific facility\n                      information and data provided by the private sector and collected\n                      by IP during these assessments holds a PCII designation, which\n                      typically exempts it from disclosure.\n\n                      Private Sector Owner/Operators Consider Voluntary Assessments\n                      Valuable\n\n                      The PSAs conduct and coordinate vulnerability surveys and\n                      assessments for private sector facilities. These assessment services\n                      could cost as much as $25,000 when obtained privately, but are\n                      made available to the stakeholders at no cost.\n\n                      Site Assistance Visits\n\n                      Site Assistance Visits (SAV) are voluntary. PSAs coordinate with\n                      PSCD\xe2\x80\x99s Vulnerability Assessment Branch to conduct an SAV.\n                      The assessment team is composed of three to four individuals with\n                      specialized skills and knowledge specifically suited to the facility\n                      type and location. Most teams include bomb, technical, and\n                      assault planning experts. During these assessments, the team\n                      simulates likely threat scenarios to determine where security\n                      vulnerabilities exist and to develop mitigation strategies. Some\n                      facility security managers said the teams were sometimes so\n\nProtective Security Advisor Program Efforts to Build Effective Critical Infrastructure Partnerships: \n\n                                  Oil and Natural Gas Subsector \n\n\n                                              Page 22\n\n\x0c                      knowledgeable about a facility\xe2\x80\x99s technical operations it was\n                      necessary to contact engineers and other staff to respond to team\n                      questions.\n\n                      The Vulnerability Assessments Branch conducts 250-300 SAVs\n                      per year. An SAV requires 1-3 days to complete, depending on its\n                      focus. The assessment team provides the owner/operator with an\n                      initial assessment, and follows up with written report within 90\n                      days. Stakeholders have full discretion to act or not act on report\n                      recommendations.\n\n                      Enhanced Critical Infrastructure Protection Initiative\n\n                      While the SAV provides a more comprehensive look at facilities\xe2\x80\x99\n                      vulnerabilities and can be tailored to focus on specific aspects of\n                      critical operations such as cyber and control systems, the Enhanced\n                      Critical Infrastructure Protection (ECIP) Initiative is a voluntary\n                      data collection and outreach program. The ECIP provides the PSA\n                      with an opportunity to educate facility owner/operators on security,\n                      and to promote communication and information sharing among\n                      facility owner/operators, DHS, and state and local government\n                      agencies. The PSA works with the facility\xe2\x80\x99s security manager to\n                      document the physical security, security force, security\n                      management, information sharing, protective measures, and\n                      dependencies that exist at a facility. PSAs collect data using a\n                      standardized survey and this data is compiled into a Protective\n                      Measures Index. The index is a quantitative protection measure\n                      developed for each of the 18 different sectors, which allows for\n                      security measures comparison with other similar facilities in the\n                      same sector and subsector.\n\n                      After the survey, the owner/operator receives the results in the\n                      form of an ECIP Dashboard, which is an interactive electronic\n                      reporting tool that provides a current picture of the facility\xe2\x80\x99s\n                      Protective Measures Index information, as well as a graphic\n                      comparison of the facility\xe2\x80\x99s index to other similar facilities. The\n                      ECIP Dashboard allows the stakeholder to manipulate its security\n                      posture variables and to determine how to improve protection in a\n                      cost effective manner by prioritizing capital expenditures.\n                      Stakeholders value the ability to make comprehensive comparisons\n                      of their facility to similar facilities. These tools also allow DHS to\n                      map facility, sector, and subsector interdependencies, and\n                      determine whether resiliency exists. Therefore, the survey not\n                      only serves as a strong relationship-building tool, but also allows\n                      for data gathering on infrastructure protection levels in general.\n\nProtective Security Advisor Program Efforts to Build Effective Critical Infrastructure Partnerships: \n\n                                  Oil and Natural Gas Subsector \n\n\n                                              Page 23\n\n\x0c                      States Benefit From Assessment Programs\n\n                      While vulnerability assessments often take place on privately\n                      owned infrastructure, states and local jurisdictions also benefit\n                      from assessment programs that provide funding and help\n                      communities prepare for incidents at facilities in their jurisdictions.\n\n                      Regional Resiliency Assessment Program\n\n                      The Regional Resiliency Assessment Program (RRAP) is a\n                      voluntary IP-led interagency assessment of selected CIKR, along\n                      with regional analysis of the surrounding infrastructure. The\n                      RRAP identifies CIKR dependencies, interdependencies,\n                      cascading effects, resiliency characteristics, gaps, and the\n                      prevention and protection capabilities of owner/operators, local\n                      law enforcement, and emergency response organizations.\n\n                      Coordinated by PSCD and the PSAs, the RRAP is a collaborative\n                      effort of IP that includes other federal agencies, public homeland\n                      security officials, state and local government, and private-sector\n                      owner/operators, working to enhance resilience of the CIKR and\n                      surrounding communities. Some states may not be able to perform\n                      similar assessments as efficiently and effectively without funding.\n\n                      After the RRAP review, IP analyzes the information, determines\n                      gaps in response capabilities, coordination and resources, and\n                      documents the results in a written report. This information is\n                      provided to the state\'s homeland security agency and participating\n                      facilities. For example, a recent RRAP in New Jersey involved 18\n                      sites in a ten-mile radius, and included at least 27 ECIPs and 18\n                      SAVs. With this regional approach, the RRAP review can provide\n                      a more complete assessment of resiliency, interdependency, and\n                      security. RRAP projects take 3 to 6 months to execute, are very\n                      collaborative, and attempt to leverage each organization\xe2\x80\x99s\n                      capabilities. Five RRAP projects were conducted in FY 2009, and\n                      during our fieldwork, PSCD was finalizing the 2010 projects.\n\n                      Buffer Zone Protection Program\n\n                      Administered by FEMA, the Buffer Zone Protection Program\n                      (BZPP) complements IP\xe2\x80\x99s Vulnerability Assessments Branch\n                      SAVs. While assessment visits recommend protections and\n                      preparedness measures inside a facility\xe2\x80\x99s perimeter, the BZPP\n                      addresses protections and preparedness levels for the surrounding\n                      area and emergency responders outside the facility.\n\nProtective Security Advisor Program Efforts to Build Effective Critical Infrastructure Partnerships: \n\n                                  Oil and Natural Gas Subsector \n\n\n                                              Page 24\n \n\n\x0c                      The BZPP provides grant funding to increase the protection,\n                      preparedness, and response capabilities of communities that\n                      contain certain Level 1/Level 2 CIKR. The BZPP provides $50\n                      million in grants annually to cover approximately 200 assets.\n                      BZPP funding is allocated to states or territories based on the\n                      number, type, and character of pre-identified higher-risk sites\n                      within their respective jurisdictions. Funds are then further\n                      distributed to community law enforcement and first responders\n                      who react to incidents at those facilities. PSAs often help\n                      jurisdictions apply for and conduct BZPP assessments. In\n                      addition, some PSAs conduct ECIP surveys simultaneously with\n                      BZPP assessments, providing the facility with the benefit of the\n                      ECIP Dashboard, and the jurisdiction with the ability to apply for\n                      funding to respond to emergencies at the facility.\n\n                      Regulatory Obligations May Hinder the PSA Relationship\n                      Building Progress\n\n                      A perception that oil and natural gas industry regulation already\n                      exists may hinder stakeholder program participation. Some\n                      industry stakeholders said they do not take advantage of SAVs\n                      because of previous experiences with the department, and because\n                      stakeholders have existing obligations and reporting requirements\n                      to DHS and other governmental regulatory programs. Other\n                      stakeholders declined to participate in voluntary site visits and\n                      assessments because they are already overwhelmed with DHS\n                      regulations concerning chemical facility standards, transportation\n                      worker identification, and other programs.\n\n                      However, other stakeholders said the PSA Program bridges a gap\n                      between DHS\xe2\x80\x99 regulatory side and maintaining relationships to\n                      help owner/operators protect facilities. For example, several\n                      stakeholders have notified and invited their PSA, as an\n                      independent observer, when another federal or state agency is\n                      conducting an inspection, assessment, or exercise. Although these\n                      stakeholders have not progressed to the assessment phase, they\n                      said PSA Program services could be valuable, and would engage\n                      the program more should corporate headquarters change policy.\n\n\n\n\nProtective Security Advisor Program Efforts to Build Effective Critical Infrastructure Partnerships: \n\n                                  Oil and Natural Gas Subsector \n\n\n                                              Page 25\n \n\n\x0c                                     Phase Four: Change\n\n                                     Through efforts in the previous three phases, PSAs\n                                     work towards having owner/operators implement risk\n                                     reduction activities and improve protective measures at\n                                     facilities. However, many factors outside of the PSA\xe2\x80\x99s\n                                     control influence whether a private sector facility will\n                                     make any voluntary security enhancements. Some\n                                     stakeholders stated that even though they knew the\n                                     assessment recommendations were valid and useful,\n                                     voluntary changes ultimately depend on financial\n                                     resources and the strategic importance of a facility to\n                                     the company.\n\n                      While many stakeholders take advantage of PSA coordinated\n                      services and assessments and have made significant steps toward\n                      implementing recommendations, the PSA Program does not have\n                      structured follow-up that tracks activities to determine what\n                      influence the program has had on risk reduction. To evaluate the\n                      change effected by the PSA Program, the program needs to track\n                      and record stakeholders efforts, develop methods to compile\n                      sufficient information for DHS to evaluate the national CIKR risk\n                      posture, and use that information to inform PSA Program resource\n                      efforts and future planning.\n\n\n            Recommendation\n                      We recommend that the Director of the Protective Security\n                      Coordination Division:\n\n                      Recommendation #1: Develop a process to track and record\n                      voluntary assessment recommendation implementation, and use\n                      this information to guide future PSA Program recommendations,\n                      resource efforts, and planning.\n\n\n            Management Comments and OIG Analysis\n                      We evaluated NPPD\xe2\x80\x99s written comments and have made changes\n                      to the report where we deemed appropriate. A summary of\n                      NPPD\xe2\x80\x99s written response to the report recommendations and our\n                      analysis of the response follows each recommendation. A copy of\n                      NPPD\xe2\x80\x99s response, in its entirety, is included as Appendix B.\n\nProtective Security Advisor Program Efforts to Build Effective Critical Infrastructure Partnerships: \n\n                                  Oil and Natural Gas Subsector \n\n\n                                              Page 26\n\n\x0c                      We also received technical comments from the PSA Program and\n                      the Department of Energy and incorporated those technical\n                      changes into the report where appropriate. We appreciate the\n                      comments and contributions made by each entity. NPPD/IP\n                      concurred with five of our recommendations and did not concur\n                      with two recommendations.\n\n                      Management Response: NPPD/IP concurred with\n                      Recommendation 1. NPPD officials responded that the PSA\n                      Program already has established processes and metrics to track\n                      voluntary implementation of security and resilience improvements\n                      resulting from IP assessments. The PSA Program has\n                      implemented 180-day follow-up interviews to capture information\n                      on risk-reduction implementation activities following PSA\n                      conducted ECIP security surveys. As facilities receive subsequent\n                      ECIP surveys, additional data collected will inform the change\n                      effected by the PSA Program. The 180-day follow-up currently\n                      identifies improvements made or implemented to physical security,\n                      security force, security management, information sharing,\n                      protective measures, and dependencies.\n\n                      NPPD officials responded further that in June 2010, using the\n                      ECIP security survey and 180-day follow-up data, PSCD analyzed\n                      voluntary protective measure implementation at facilities receiving\n                      ECIP visits. This metric was the first ever produced demonstrating\n                      the effect of the PSAs and ECIP security surveys. Based on initial\n                      analysis of implementation data, IP is developing new performance\n                      metrics that will reflect implementation of improvements to\n                      security and resilience resulting from voluntary IP assessments.\n\n                      NPPD will incorporate the 180-day follow-up process into other IP\n                      assessments, namely the SAV. Through the 180-day follow-up\n                      process and subsequent assessments of those same facilities, IP\n                      will be able to capture and track improvements over time,\n                      providing a better understanding of how the PSA Program, IP, and\n                      NPPD are buying down risk for the Nation\xe2\x80\x99s critical infrastructure.\n                      The facility security and resilience data, and voluntary\n                      implementation data captured by these IP assessments will allow\n                      DHS to evaluate the national protection posture of critical\n                      infrastructure, and inform NPPD, IP, and PSA Program goals,\n                      future planning efforts, and resource allocations.\n\n\n\n\nProtective Security Advisor Program Efforts to Build Effective Critical Infrastructure Partnerships: \n\n                                  Oil and Natural Gas Subsector \n\n\n                                              Page 27\n \n\n\x0c                      OIG Analysis: We consider NPPD/IP\xe2\x80\x99s proposed actions\n                      responsive to Recommendation 1, which is resolved and closed.\n                      No further reporting on this recommendation is required.\n\n\n   A Well Defined and Communicated Mission Will Enhance\n   Building Effective Critical Infrastructure Partnerships\n            Although PSA activities align with DHS\xe2\x80\x99 mission and the partnership\n            model described in the NIPP, there is no clearly defined mission statement\n            directing PSA Program activities. To measure the effectiveness of PSA\n            activities, the program needs to identify and develop achievable\n            milestones, based on results-oriented goals and objectives. Unclear goals\n            and objectives are also causing tension with other governmental partners,\n            as PSA activities and relationships appear to overlap, duplicate, or conflict\n            with critical protection efforts of other entities. The majority of Oil and\n            Natural Gas Subsector stakeholders said they are uncertain of the PSA\n            Program\xe2\x80\x99s overall mission. However, most stakeholders understand the\n            role PSAs have in building and maintaining relationships and partnerships\n            with the private sector; working with industry on assessing its exposure to\n            threats and vulnerabilities; and addressing questions and providing\n            information on DHS programs and operations.\n\n                      PSA Activities are Aligned with Organizational Mission and\n                      Goals\n\n                      DHS is working to reduce the Nation\xe2\x80\x99s vulnerability to terrorist\n                      attacks, major disasters, and other emergencies. To do so in part,\n                      DHS\xe2\x80\x99 FY 2008-2013 Strategic Plan identifies the goal of\n                      protecting CIKR and an accompanying objective of protecting and\n                      strengthening resilience through the department\xe2\x80\x99s efforts. These\n                      efforts include mitigating potential vulnerabilities and fostering\n                      partnerships to safeguard against the most dangerous threats and\n                      risks to CIKR.\n\n                      The department\xe2\x80\x99s goal of protecting critical infrastructure is\n                      delegated from NPPD to IP; protecting CIKR through risk\n                      reduction is then delegated to PSCD. Within PSCD, the PSA\n\n\n\n\nProtective Security Advisor Program Efforts to Build Effective Critical Infrastructure Partnerships: \n\n                                  Oil and Natural Gas Subsector \n\n\n                                              Page 28\n \n\n\x0c                      Program intends to assist fulfilling this goal by aligning its\n                      activities with NPPD and IP objectives. These activities include:\n\n                          \xe2\x80\xa2\t Establishing partnerships with stakeholders; consolidating\n                               preparedness assets from across DHS and facilitating grants;\n                          \xe2\x80\xa2\t Supporting first responder training, citizen awareness,\n                               public health, infrastructure, and cyber security; protecting\n                               high-risk targets;\n                          \xe2\x80\xa2\t   Providing timely, actionable, and valuable threat \n\n                               information; \n\n                          \xe2\x80\xa2\t   Implementing and maintaining a fully operational incident\n                               management capability;\n                          \xe2\x80\xa2\t   Enhancing public and private sector self-sufficient risk\n                               reduction activities; and\n                          \xe2\x80\xa2\t   Developing and implementing effective protective programs\n                               to reduce risk to CIKR assets, systems, networks, and\n                               functions.\n\n                      To determine whether these PSA activities are contributing to\n                      DHS\xe2\x80\x99 mission, the program needs to identify its own mission, and\n                      develop achievable milestones, based on results-oriented goals and\n                      objectives.\n\n                      Unclear PSA Program Mission Limits Ability to Develop\n                      Stakeholder Relationships and Partnerships\n\n                      With only an implied mission related to individual PSA activities,\n                      the PSA Program is currently unable to identify what it intends to\n                      accomplish. Several government and private stakeholders\n                      expressed that the program\xe2\x80\x99s mission was never clearly defined or\n                      communicated. As a result, intended goals are unclear and there is\n                      difficulty determining roles and responsibilities, which creates\n                      overlap and some frustration. A clearly defined mission is\n                      necessary for building relationships and partnerships with\n                      stakeholders.\n\n                      For example, ineffective initial communication and coordination\n                      among program offices strained the relationship between DOE and\n                      the PSA Program. DOE officials said there have been some\n                      overall coordination improvements with the PSA Program.\n                      Previously, very little to no advance notice was given to DOE\n                      when PSAs went to Energy Sector assets and owner/operators, but\n                      this is improving. DOE officials also said the roles and\n                      responsibilities between IP and the SSAs need better definition,\n\n\nProtective Security Advisor Program Efforts to Build Effective Critical Infrastructure Partnerships: \n\n                                  Oil and Natural Gas Subsector \n\n\n                                              Page 29\n\n\x0c                      particularly in sectors where DHS is not the SSA, such as the\n                      Energy Sector.\n\n                      In addition, a clear and communicated PSA Program mission could\n                      help stakeholders manage expectations, as well as understand the\n                      activities and expertise of the PSA cadre. For example, some\n                      stakeholders and federal partners do not recognize or understand\n                      the distinction in roles between the PSA Program and the\n                      Vulnerability Assessments Branch concerning survey and\n                      assessment resources. While the PSA coordinates SAVs, the\n                      Vulnerability Assessments Branch conducts these assessments.\n                      Not understanding the PSAs\xe2\x80\x99 role causes some stakeholders to\n                      question whether PSAs have the sector specific expertise necessary\n                      to conduct SAVs, even though PSAs do not conduct SAVs.\n\n                      While the activities and responsibilities of the PSAs align with IP,\n                      NPPD, and DHS missions, evaluating the PSA Program as\n                      effective or ineffective without a stated mission and related\n                      objectives is difficult. A clearly stated program mission, with\n                      objectives and intended outcomes, will clarify PSA roles and\n                      responsibilities for CIKR partners and stakeholders.\n\n\n            Recommendations\n                      We recommend that the Director of the Protective Security\n                      Coordination Division:\n\n                      Recommendation #2: Develop a mission statement for the PSA\n                      Program, and communicate the mission within DHS, to public and\n                      private stakeholders, SSAs, and other federal CIKR partners.\n\n                      Recommendation #3: Develop achievable PSA Program\n                      milestones, based on results-oriented goals. Goals and objectives\n                      should align with and influence achieving IP, NPPD, and DHS\n                      CIKR goals and objectives.\n\n\n            Management Comments and OIG Analysis\n                      Management Response: NPPD/IP concurred with\n                      Recommendation 2. NPPD officials responded that PSAs do have\n                      a clearly defined mission statement, described in the PSA Program\n                      Management Plan. The PSA\xe2\x80\x99s mission statement is to \xe2\x80\x9cRepresent\n                      DHS and IP in local communities throughout the United States.\xe2\x80\x9d\n\nProtective Security Advisor Program Efforts to Build Effective Critical Infrastructure Partnerships: \n\n                                  Oil and Natural Gas Subsector \n\n\n                                              Page 30\n\n\x0c                      The PSA mission is to work with State Homeland Security\n                      Advisors\xe2\x80\x99 offices and their security partners throughout the region,\n                      serving as liaisons between DHS; the private sector; and federal,\n                      state, territorial, local, and tribal entities and acting as the DHS\n                      onsite critical infrastructure and vulnerability assessment\n                      specialists.\n\n                      NPPD officials responded further that PSAs are able to articulate\n                      the program\xe2\x80\x99s mission to stakeholders, and that stakeholders\n                      understand the program\xe2\x80\x99s affect and value individually. However,\n                      stakeholders do not perceive the broader, national level impact of\n                      coordinated PSA activities across the country. NPPD officials said\n                      the issue is not the lack of a mission statement, but rather mission\n                      messaging to stakeholders such that stakeholders understand the\n                      national level purpose and mission of PSA activities, and how\n                      those activities link with activities of other federal agencies and\n                      programs with similar responsibilities. The PSA Program will\n                      communicate to stakeholders the PSA Program\xe2\x80\x99s intended results\n                      and overall mission better.\n\n                      OIG Analysis: We consider NPPD/IP\xe2\x80\x99s proposed actions\n                      responsive to the intent of Recommendations 2, which is resolved\n                      and open. The recommendation will remain open pending our\n                      receipt of the PSA Program\xe2\x80\x99s strategy and implementation plan to\n                      communicate intended program results and its overall mission to\n                      stakeholders better. The communication strategy and\n                      implementation plan should include communication activities\n                      within DHS, to public and private stakeholders, SSAs, and other\n                      federal CIKR partners.\n\n                      Management Response: NPPD/IP responded that it non-concurs\n                      with Recommendation 3. Officials said the PSA Program has\n                      reached a degree of operational maturity where it is no longer\n                      focused on milestones, which are typically related to program\n                      establishment, e.g., creating an IP/PSA presence in every state.\n                      The PSA Program has matured and has developed performance\n                      metrics to measure the results of its efforts, which align with and\n                      influence achieving IP, NPPD, and DHS goals and objectives.\n                      Program officials said further detail on these metrics is included in\n                      its response to Recommendation 7.\n\n                      OIG Analysis: Although NPPD/IP did not concur with this\n                      recommendation, we consider the proposed actions responsive to\n                      Recommendation 3, which is resolved and open. This\n\nProtective Security Advisor Program Efforts to Build Effective Critical Infrastructure Partnerships: \n\n                                  Oil and Natural Gas Subsector \n\n\n                                              Page 31\n\n\x0c                      recommendation will remain open pending our receipt of approved\n                      multi-year performance metrics and associated results-oriented\n                      performance goals that demonstrate achievement of the PSA\n                      Program\xe2\x80\x99s mission; and that such efforts align with IP, NPPD and\n                      DHS CIKR goals and objectives as referenced in IP\xe2\x80\x99s responses to\n                      Recommendation 1 and 7.\n\n\n   Coordination and Communication within DHS Needs\n   Improvement\n            Within DHS, multiple components regulate and collaborate with the\n            public and private sectors to protect CIKR. The number of assessments\n            and requests for similar information from the department creates\n            frustration within private industry, especially in the oil and natural gas\n            industry where many governmental entities have safety, security, or\n            oversight responsibilities. DHS\xe2\x80\x99 internal coordination issues diminish the\n            PSA Program\xe2\x80\x99s value and improved collaboration is necessary to serve\n            CIKR stakeholders and partners more efficiently and effectively.\n\n                      Stakeholders Express Need for Better Coordination\n\n                      Multiple stakeholders said the oil and natural gas industry\xe2\x80\x99s\n                      primary issue with the PSA Program is the need for coordination\n                      between the different partners, and the program\xe2\x80\x99s value diminishes\n                      when DHS offices and components do not communicate\n                      effectively. In November 2009, DHS\xe2\x80\x99 Secretary met with the Oil\n                      and Natural Gas SCC leadership, among others, to discuss critical\n                      infrastructure security. The SCC leadership reiterated its need for\n                      DHS to resolve internal coordination issues. While the industry\n                      realizes agencies have different missions and mandates, better\n                      coordination would reduce confusion among oil and natural gas\n                      owner/operators.\n\n                      As mentioned previously, some stakeholders have PSAs attend\n                      regulatory inspections or routine safety reviews as an objective\n                      observer. There are planned events, inspections, and reviews\n                      where coordination between DHS components could improve. For\n                      example, FEMA conducted a tabletop exercise in which numerous\n                      DHS components helped plan and subsequently participated.\n                      However, PSAs were neither informed nor invited to attend. As a\n                      result, shortly after the exercise started, stakeholders and other\n                      participants questioned why PSAs were not present. Even though\n                      the oversight was resolved quickly, it highlights the need for more\n                      effective communication within the department.\n\nProtective Security Advisor Program Efforts to Build Effective Critical Infrastructure Partnerships: \n\n                                  Oil and Natural Gas Subsector \n\n\n                                              Page 32\n \n\n\x0c                      Assessments are Performed by Several DHS Components\n\n                      The Oil and Natural Gas Subsector is heavily regulated, therefore\n                      increased coordination and transparency is necessary.\n                      Stakeholders said information often requested by one program is\n                      similar to information already provided to another program.\n                      Stakeholders want programs to exchange information rather than\n                      answer the same questions multiple times. Many stakeholders\n                      have a long working history with federal agencies, and they are\n                      less concerned with sharing information among agencies than the\n                      costs of redundant assessments and information requests.\n\n                      Stakeholders referred to the multiple regulatory assessments\n                      currently performed by DHS, including those under Chemical\n                      Facility Anti-Terrorism Standards as well as the U.S. Coast\n                      Guard\xe2\x80\x99s Maritime Security directives and regulations pertaining to\n                      the Maritime Transportation Security Act of 2002. The Chemical\n                      Facility Anti-Terrorism Standards are mandatory for any facility\n                      that manufactures, uses, stores, or distributes certain chemicals at\n                      or above a specified quantity. IP\xe2\x80\x99s Infrastructure Security\n                      Compliance Division is responsible for carrying out the regulatory\n                      assessments, promoting collaborative security planning, and\n                      ensuring that covered facilities meet the risk-based performance\n                      standards. The U.S. Coast Guard issues Maritime Security\n                      Directives mandating specific security measures for vessels and\n                      facilities when additional security measures are necessary to\n                      respond to a threat assessment or to protect from a specific threat\n                      against maritime elements of the national transportation system.\n\n                      Further, TSA\xe2\x80\x99s Pipeline Security Division conducts Corporate\n                      Security Reviews to evaluate incident plans, programs, and\n                      implementation. The Pipeline Corporate Security Review Program\n                      is an on-site review of a pipeline operator\xe2\x80\x99s security plan and its\n                      implementation, conducted by TSA\xe2\x80\x99s Pipeline Security Division\n                      staff. The review uses a standard protocol to capture quantitative\n                      and qualitative data that aid in prioritizing critical systems and in\n                      establishing a baseline against which to evaluate minimum-\n                      security standards in the industry and identify coverage gaps. In\n                      addition, TSA conducts legislatively mandated Critical Facilities\n                      Inspections; however, participation by facilities in these reviews is\n                      voluntary, as are any actions recommended as a result of\n\n\n\n\nProtective Security Advisor Program Efforts to Build Effective Critical Infrastructure Partnerships: \n\n                                  Oil and Natural Gas Subsector \n\n\n                                              Page 33\n \n\n\x0c                            inspections.16 Stakeholders question why components within the\n                            same department do not share this security information.\n\n                            Although there is some duplication in assessments performed on\n                            facilities concerning security, some stakeholders said that each\n                            assessment has a different focus in addition to security. A number\n                            of stakeholders said PSA assessments are attractive because they\n                            are free, non-consequential, and provide third party credibility to\n                            requests for security upgrades. Some stakeholders view\n                            assessments negatively as they are very time consuming and work-\n                            intensive for their staff. Therefore, it would be helpful to\n                            stakeholders to have common security related assessment\n                            information coordinated ahead of time.\n\n\n                  Recommendation\n                            We recommend that the Director of the Protective Security\n                            Coordination Division:\n\n                            Recommendation #4: Inventory regulatory and voluntary\n                            assessments, reviews, and resources of tribal, local, state, and\n                            federal governmental entities that affect Oil and Natural Gas\n                            Subsector stakeholders, and determine where the PSA Program can\n                            leverage efficiencies and enhance coordination.\n\n\n                  Management Comments and OIG Analysis\n                            Management Response: NPPD/IP concurred with\n                            Recommendation 4. IP management responded that it agrees a\n                            comprehensive inventory of these items would be beneficial to\n                            PSAs to improve their sector knowledge. However, development\n                            of such an inventory is not the responsibility of the PSA Program\n                            or PSCD. Responsibility for maintaining this level of awareness of\n                            relevant assessments, reviews, and resources affecting sectors lies\n                            with the SSAs. Sector Specialists from IP\xe2\x80\x99s Partnership and\n                            Outreach Division will work with DOE to create a consolidated\n\n\n16\n   The Implementing Recommendations of the 9/11 Commission Act of 2007, Sec. 1557, Public Law 110-\n53 (August 3, 2007), requires TSA to develop and implement a plan for reviewing pipeline security plans\nand inspecting the critical facilities of the 100 most critical pipeline operators as identified by a September\n2002 Department of Transportation circular.\n\n\n\n      Protective Security Advisor Program Efforts to Build Effective Critical Infrastructure Partnerships: \n\n                                        Oil and Natural Gas Subsector \n\n\n                                                    Page 34\n \n\n\x0c                      inventory of the regulatory and voluntary assessments, reviews,\n                      and resources that affect Oil and Natural Gas Subsector\n                      stakeholders. The PSA Program will support IP\xe2\x80\x99s Partnership and\n                      Outreach Division in this endeavor to create the inventory, and\n                      once completed, will determine where the PSA Program can\n                      leverage efficiencies and enhance coordination. When the PSA\n                      Program knows of assessments, reviews, and resources, officials\n                      responded that the program already coordinates with relevant\n                      stakeholders and works to create efficiencies.\n\n                      OIG Analysis: We consider NPPD/IP\xe2\x80\x99s proposed actions\n                      responsive to Recommendation 4, which is resolved and closed.\n                      No further reporting on this recommendation is required.\n\n\n   More PSA Program Support to Sector Leadership Partners is \n\n   Needed \n\n            DHS has a responsibility to support and coordinate effectively with all\n            SSAs. PSA interactions with stakeholders across the nation provide DHS\n            with a unique opportunity to support ongoing SSA efforts to implement\n            the NIPP in each sector, especially for SSAs with limited resources to\n            maintain a similar continuous field presence. By effectively\n            communicating with the SSA during strategic planning, the PSA Program\n            can better align its assistance to support DOE. In addition, the PSA\n            Program can benefit from increased interaction because of the vast sector-\n            specific technical knowledge DOE possesses. Further, increased\n            coordination with the Oil and Natural Gas SCC and greater presence at\n            meetings would strengthen stakeholder and PSA Program communication,\n            allow PSAs to be involved in strategies outlined in sector specific plans,\n            and increase PSA Program awareness of issues and needs.\n\n                      PSA Program Can Improve DHS\xe2\x80\x99 Support of DOE\n\n                      As the SSA, DOE is responsible for implementing the NIPP\n                      framework and guidance as tailored to the specific characteristics\n                      and risks of the Energy Sector as a whole, and the Oil and Natural\n                      Gas Subsector specifically. DHS\xe2\x80\x99 role is to help coordinate with\n                      and support DOE in its efforts to lead, integrate, and coordinate the\n                      activities of the sector and subsector, as well as providing\n                      guidance, tools, and analytical support to the SSA and its\n                      sector/subsector membership.\n\n                      PSAs have a geographic advantage over some SSAs, as PSAs are\n                      field-based and interact with stakeholders directly, whereas some\n\nProtective Security Advisor Program Efforts to Build Effective Critical Infrastructure Partnerships: \n\n                                  Oil and Natural Gas Subsector \n\n\n                                              Page 35\n\n\x0c                           SSAs are headquarters-based and would need to send staff to\n                           conduct field assessments and visits. DOE officials said they want\n                           to be involved in the assessment programs, but do not have\n                           additional dedicated resources to participate in most PSA field\n                           assessments and visits.\n\n                           Because DOE is unable to participate in most cases, officials are\n                           concerned about PSA interactions with stakeholders and\n                           information collected. For example, when PSAs first began\n                           performing ECIPs, the program did not communicate with DOE on\n                           ECIP objectives, what assessments it was conducting, and on\n                           which facilities. DOE officials said they would prefer more\n                           coordination and interaction with the PSA Program to facilitate\n                           mutual objectives, as DOE is unsure of PSA expertise in the Oil\n                           and Natural Gas Subsector. Conversely, PSA Program officials\n                           said that because of differing perspectives, obtaining information\n                           timely from DOE is sometimes challenging. For example, when\n                           the program needs to respond to a request for information from\n                           DHS leadership, DOE has not had the same urgency to obtain the\n                           information. Additional coordination and interaction between the\n                           PSA Program and DOE would provide a mutual understanding of\n                           similar and competing objectives and perspectives.\n\n                           DOE officials said both departments work well during\n                           emergencies, but NICC information request coordination still\n                           needs improvement. For example, in 2009 there was a fire at an\n                           oil and natural gas facility in Puerto Rico. As a result, the NICC\n                           sent a request for information to DOE and to DHS\xe2\x80\x99 Homeland\n                           Infrastructure Threat and Risk Analysis Center; the DHS center\n                           responded that there were no substantial issues or problems at the\n                           facility.17 DOE, however, responded that the incident could have\n                           been serious because of the fuel type handled at the facility.\n                           Conflicting assessments made it difficult for the NICC to obtain\n                           timely situational awareness of the incident. By designating an\n                           information lead for a facility and its interdependencies before an\n                           incident, more efficient information exchange and situational\n                           awareness reporting can occur.\n\n\n\n\n17\n   The Homeland Infrastructure Threat and Risk Analysis Center coordinates with the intelligence\ncommunity, law enforcement, SSAs, and owner/operators to produce actionable risk-informed products\nthat contain all-hazards warning, threat, and CIKR protection information for federal, state and local, and\nprivate sector partners.\n\n\n\n     Protective Security Advisor Program Efforts to Build Effective Critical Infrastructure Partnerships: \n\n                                       Oil and Natural Gas Subsector \n\n\n                                                   Page 36\n \n\n\x0c                      Increased PSA Program Coordination with Oil and Natural\n                      Gas SCC Would Enhance Effectiveness\n\n                      SCCs provide forums for private industry to identify and\n                      implement effective information-sharing capabilities; organize and\n                      coordinate sector policies; integrate public sector plans with\n                      private-sector initiatives; and provide input to the government on\n                      sector research and development efforts and requirements.\n                      Increased coordination with the Oil and Natural Gas SCC and\n                      greater presence at meetings would strengthen stakeholder and\n                      PSA Program communication, allow PSAs involvement in\n                      strategies outlined in sector specific plans, and increase PSA\n                      Program awareness of issues and needs.\n\n                      Oil and Natural Gas SCC officials said it does not receive enough\n                      information from DHS and wants IP leadership to engage the SCC\n                      about what the subsector needs from PSAs and DHS. SCC\n                      officials said there is also an opportunity for the subsector to help\n                      PSAs build necessary public sector relationships and eliminate\n                      bottlenecks and misunderstandings. Incorporating the SCC into\n                      early program development and planning would facilitate informed\n                      exchanges on whether new programs are necessary, or whether\n                      existing programs served the same purpose.\n\n                      Although IP leadership is represented at the SCC meetings through\n                      the Partnership and Outreach Division, SCC stakeholders want\n                      PSA Program officials more actively engaged. Attending SCC\n                      meetings would provide the PSA Program with information about\n                      the industry at a local level, which would help bridge potential\n                      gaps between program and industry needs. Working more closely\n                      with the SCC and SSA would help program management align\n                      PSA activities more effectively; understand sector needs and PSA\n                      program effects; repair strained relationships; and further DHS\n                      goals for developing and sustaining partnerships in all areas of\n                      CIKR security.\n\n\n            Recommendations\n                      We recommend that the Director of the Protective Security\n                      Coordination Division:\n\n                      Recommendation #5: Establish formal coordination and\n                      collaboration procedures with DOE to facilitate information\n                      exchange and ensure that DHS and PSA Program field efforts align\n\nProtective Security Advisor Program Efforts to Build Effective Critical Infrastructure Partnerships: \n\n                                  Oil and Natural Gas Subsector \n\n\n                                              Page 37\n\n\x0c                      and support DOE as the SSA for the Oil and Natural Gas\n                      Subsector.\n\n                      Recommendation #6: Establish routine PSA Program leadership\n                      involvement in Oil and Natural Gas SCC meetings to obtain\n                      Subsector information during project development and to ensure\n                      program activities and initiatives align with sector needs and sector\n                      specific plans.\n\n\n            Management Comments and OIG Analysis\n                      Management Response: NPPD/IP responded that it non-concurs\n                      with Recommendation 5. IP management said that its current\n                      efforts meet the intent of this recommendation, as it has formal\n                      coordination and collaboration procedures established with all\n                      SSAs. IP coordinates directly with all SSAs and at meetings of\n                      individual GCCs, the Federal Senior Leadership Council, and their\n                      working groups. The PSA Program follows existing procedures to\n                      coordinate and collaborate with the SSAs through IP\xe2\x80\x99s Partnership\n                      and Outreach Division and its Sector-Specific Agency Executive\n                      Management Office.\n\n                      IP responded that in particular, PSCD and PSA Program officials\n                      engage DOE to participate in a multitude of efforts. DOE\n                      personnel responsible for SSA functions have established\n                      relationships and points of contact within PSCD and the PSA\n                      Program that afford DOE direct access to rapidly communicate and\n                      address issues that may arise. DOE receives briefings and\n                      information on PSA efforts, which the PSA program will continue\n                      to provide.\n\n                      As an example of collaboration efforts, IP officials said that the\n                      PSA Program is working with all SSAs to calibrate the weights\n                      and scores of the ECIP security surveys to address the unique\n                      characteristics of each sector. These efforts will enhance the utility\n                      of the ECIP surveys and Dashboards to owner/operators by\n                      providing a more accurate comparison of similar facilities.\n\n                      In August 2010, DOE personnel met with PSA Program personnel\n                      to adjust ECIP security survey scores and weights to address the\n                      unique characteristics of the Energy Sector, its subsectors,\n                      segments, and assets. With the assistance of the SSAs, DHS will\n                      be able to provide a more complete picture of the current posture\n                      of facilities within a sector, as well as across the sectors. The PSA\n\nProtective Security Advisor Program Efforts to Build Effective Critical Infrastructure Partnerships: \n\n                                  Oil and Natural Gas Subsector \n\n\n                                              Page 38\n\n\x0c                      Program also regularly coordinates with SSAs by providing\n                      notification of upcoming ECIP visits, and providing ECIP security\n                      survey data.\n\n                      OIG Analysis: We consider IP\xe2\x80\x99s current and proposed actions\n                      partially responsive to Recommendation 5, which remains resolved\n                      and open. The intent of this recommendation is for the PSA\n                      Program to establish formal coordination and collaboration\n                      procedures with DOE to facilitate information exchange, which IP\n                      demonstrated it has done. However, we also recommended that\n                      the PSA Program ensure its field efforts align and support DOE as\n                      the SSA for the Oil and Natural Gas Subsector. DOE officials said\n                      they want to be involved in the assessment programs, but do not\n                      have additional dedicated resources to participate in most PSA\n                      field assessments and visits. Because DOE is unable to participate\n                      in most cases, officials are concerned about PSA interactions with\n                      stakeholders and information collected.\n\n                      Recent efforts by the PSA Program to collaborate and\n                      communicate more effectively with DOE and other SSAs on ECIP\n                      metrics development are commendable; and DOE acknowledges\n                      that communication has improved. This recommendation will\n                      remain open pending our receipt of documentation that supports\n                      the engagement of and coordination with DOE concerning PSA\n                      Program field assessments and visits, and details PSA interactions\n                      with Oil and Natural Gas Subsector stakeholders and information\n                      collection.\n\n                      Management Response: NPPD/IP concurred with\n                      Recommendation 6. IP responded that it has formal coordination\n                      and collaboration procedures between it and the SCC through IP\xe2\x80\x99s\n                      Partnership and Outreach Division, which is the main interaction\n                      conduit between the SCCs and IP. IP leadership, including PSA\n                      Program management staff, routinely attends Energy Sector and\n                      Subsector Critical Infrastructure Partnership Advisory Council\n                      meetings and conference calls, when invited, to discuss IP\n                      activities. IP leadership also attends Oil and Natural Gas\n                      Subsector SCC meetings, when invited, although the SCC has\n                      historically preferred to reserve such discussions for the Critical\n                      Infrastructure Partnership Advisory Council meetings.\n\n                      IP\xe2\x80\x99s Partnership and Outreach Division will continue to elicit\n                      specific concerns and needs of the Oil and Natural Gas Subsector\n                      SCC, and ensure such communication to IP and DHS entities,\n                      including the PSA Program, to facilitate improved activity\n\nProtective Security Advisor Program Efforts to Build Effective Critical Infrastructure Partnerships: \n\n                                  Oil and Natural Gas Subsector \n\n\n                                              Page 39\n\n\x0c                      coordination and collaboration. PSCD and the PSA Program will\n                      continue to work with critical infrastructure partners, including the\n                      SCCs, to ensure that advances in critical infrastructure protection\n                      tools and methodologies align with sector-level needs and national\n                      priorities.\n\n                      OIG Analysis: We consider IP\xe2\x80\x99s proposed actions responsive to\n                      Recommendation 6, which remains resolved and open. Although\n                      IP has formal coordination and collaboration procedures between it\n                      and the SCC through its Partnership and Outreach Division,\n                      incorporating the SCC into early program development and\n                      planning would facilitate informed exchanges on whether new\n                      programs are necessary, or whether existing programs serve the\n                      same purpose.\n\n                      Establishing routine PSA Program leadership involvement in Oil\n                      and Natural Gas SCC meetings to obtain subsector information\n                      during project development would ensure PSA Program activities\n                      and initiatives align with sector needs and sector specific plans.\n                      This recommendation will remain open pending our receipt of\n                      documentation that the PSA Program is working routinely with the\n                      SCCs, and details program efforts to ensure that advances in\n                      critical infrastructure protection tools and methodologies align\n                      with sector-level needs and national priorities.\n\n\n   Current Metrics are Inadequate to Measure PSA Program\n   Performance and Outcomes\n            As the PSA Program currently uses quantitative metrics to evaluate\n            performance, those metrics only identify the amount of activity carried out\n            by PSAs and do not demonstrate what outcome resulted from conducting\n            assessments. By developing qualitative measures, the program would be\n            able to assess the value of those activities to stakeholders. Current\n            quantitative metrics do not consider jurisdictional and sector differences,\n            and as more assessments of CIKR facilities occur, qualitative measures\n            that capture assessment value will become increasingly important.\n            Because interaction with the PSA Program is voluntary and there is no\n            mandatory follow-up, it may be difficult for program officials to\n            determine whether coordination of vulnerability assessments, incident\n            support, and information sharing have improved the security posture of\n            stakeholders. In addition, because of the nature of risk mitigation, it may\n            be difficult to measure the effect of PSA activity on the Nation\xe2\x80\x99s CIKR\n            risk. However, this is not specific to the PSA Program, and will continue\n            to be a challenge for the sectors and DHS\xe2\x80\x99 CIKR efforts overall.\n\nProtective Security Advisor Program Efforts to Build Effective Critical Infrastructure Partnerships: \n\n                                  Oil and Natural Gas Subsector \n\n\n                                              Page 40\n \n\n\x0c                      PSA Performance Metrics Do Not Capture Full Program\n                      Effectiveness\n\n                      The PSA Program currently evaluates its effect through four PSA\n                      performance metrics. All four are quantitative, and based on\n                      counting instances of a specific activity carried out by PSAs or\n                      supporting staff:\n\n                          \xe2\x80\xa2\t Outreach visits to partners and facilities, which include\n                             working on or planning protection efforts through\n                             assessments, exercises, information sharing, or incident\n                             response;\n                          \xe2\x80\xa2\t National-level assessments, which include coordinating and\n                             working on prevention and protection efforts through\n                             training and evaluating strategies;\n                          \xe2\x80\xa2\t Analyses performed on specific threats using vulnerability\n                             and consequence information for highly populated cities\n                             with a large CIKR concentration; and\n                          \xe2\x80\xa2\t Analyses performed on nationally designated special events\n                             to support the Federal Coordinator.\n\n                      While these dissemination measures are valuable for\n                      demonstrating PSA efforts to help facilities and communities\n                      reduce exposure, these outputs do not demonstrate specific actions\n                      or risk reduction outcomes resulting from those actions. In\n                      addition, the current metrics do not fully capture PSA liaison\n                      activities. A major aspect of a PSA\xe2\x80\x99s usefulness to DHS and\n                      stakeholders is the ability to build reliable relationships during\n                      events and incidents. Current metrics count PSA attempts to\n                      establish a relationship; they do not measure stakeholder\n                      satisfaction with the PSA or measure whether a PSA has become a\n                      true stakeholder resource. The PSA Program can obtain this\n                      information by becoming more engaged in SCC meetings and\n                      receiving direct feedback from stakeholders.\n\n                      Preparedness, Engagement, and Openness Differ Among\n                      Sectors\n\n                      The 18 CIKR sectors differ significantly in nature, scope,\n                      engagement in critical infrastructure protection efforts, and NIPP\n                      implementation. Most of the oil and natural gas industry has been\n                      securing and protecting its infrastructure for decades because of\n                      threats such as vandalism, eco-terrorism, natural disasters, and\n                      product theft.\n\n\nProtective Security Advisor Program Efforts to Build Effective Critical Infrastructure Partnerships: \n\n                                  Oil and Natural Gas Subsector \n\n\n                                              Page 41\n \n\n\x0c                      The industry as a whole frequently shares best practices through\n                      trade associations and committees, as well as professional\n                      organizations that focus on the sector, and numerous regulatory\n                      agencies often include security among the areas routinely\n                      inspected.\n\n                      Many other sectors, however, are just beginning to recognize\n                      CIKR vulnerabilities and risk levels. This is an area of opportunity\n                      for the PSA Program to build relationships and provide needed\n                      services. However, many facilities, especially if unregulated, are\n                      unfamiliar with sharing security details with governmental entities,\n                      and may be less likely to engage in a relationship and partnership\n                      with the program. In addition, some industries, even when\n                      accustomed to regulation, are extremely reluctant to share\n                      information with anyone, especially government entities.\n                      Relationships must be built slowly and deliberately to demonstrate\n                      partnership value and necessity for the PSA to progress its risk\n                      reduction relationship. When the PSA Program measures\n                      effectiveness quantitatively, there is no opportunity to determine\n                      the differences in sector openness, engagement, and levels of\n                      preparedness and organization.\n\n                      Distribution of CIKR Assets Differ Among Jurisdictions\n\n                      Some states have high concentrations of critical infrastructure in\n                      certain areas. For example, oil and natural gas industry assets are\n                      more predominant in certain states, such as those in the Gulf Coast\n                      region. In some states, such as New Jersey, these assets may be\n                      concentrated in close proximity to populated areas or other\n                      industries that could pose a threat should disruption occur. Some\n                      states may have three or four critical facilities spread over a large\n                      geographic area, while a city in another state may have more than\n                      100 critical assets. In addition, some cities or states may have\n                      large, recurring national level exercises, while in another state the\n                      PSA might work on a number of smaller local exercises. An asset\n                      rich location can provide a PSA with many opportunities to engage\n                      stakeholders, which stakeholders have described as extremely\n                      valuable. This engagement increases the likelihood of conducting\n                      assessments. The PSA Program measures its effectiveness by PSA\n                      performance, and current performance metrics do not account for\n                      jurisdiction and geographic differences, which could affect\n                      program performance estimates.\n\n\n\n\nProtective Security Advisor Program Efforts to Build Effective Critical Infrastructure Partnerships: \n\n                                  Oil and Natural Gas Subsector \n\n\n                                              Page 42\n \n\n\x0c                              Measuring Program Effect Will Continue to be a Challenge\n\n                              Challenges in measuring PSA Program risk reduction efforts will\n                              continue because stakeholder participation is voluntary, and PSAs\n                              have not tracked or recorded recommendation implementation.\n                              Although the surveys and ECIP Dashboard inform owner/operators\n                              how to further reduce risk, the program has not conducted\n                              subsequent assessments at those facilities. These tools provide the\n                              facility with a picture of its current protective measure index, but\n                              do not account for a comparison of protection levels over time. By\n                              increasing coordination and information sharing with the SSAs and\n                              other regulatory entities, the PSA Program may be able to obtain\n                              data regarding changes in protective measures over time.\n\n                              In addition, because the PSAs have not conducted multiple ECIPs\n                              and SAVs at the same facility, there is the potential for assessment\n                              of all critical infrastructure assets in a jurisdiction. Though this\n                              may be many years in the future, such an occurrence would\n                              diminish quantitative metrics value, and increase the importance of\n                              determining stakeholder satisfaction.\n\n                              According to DHS\xe2\x80\x99 Strategic Plan, qualitative and quantitative risk\n                              assessments will inform the department\xe2\x80\x99s decisions on the use of\n                              limited resources, which \xe2\x80\x9cwill be targeted at the most significant\n                              threats, vulnerabilities, and potential consequences.\xe2\x80\x9d18 The PSA\n                              Program needs to be prepared to measure efforts and activities\n                              using quantitative and qualitative metrics where appropriate.\n\n\n                    Recommendation\n                              We recommend that the Director of the Protective Security\n                              Coordination Division:\n\n                              Recommendation #7: Define qualitative metrics that account for\n                              the extent to which PSA activities contribute to achieving PSA\n                              Program, IP, NPPD, and DHS CIKR protection goals and\n                              objectives.\n\n\n\n\n18\n     U.S. Department of Homeland Security Strategic Plan Fiscal Years 2008-2013, September 2008.\n\n\n\n        Protective Security Advisor Program Efforts to Build Effective Critical Infrastructure Partnerships: \n\n                                          Oil and Natural Gas Subsector \n\n\n                                                      Page 43\n\n\x0c            Management Comments and OIG Analysis\n                      Management Response: NPPD/IP concurred with\n                      Recommendation 7: In its response, IP said that the PSA Program\n                      has grown and matured since its inception to become a focal point\n                      for IP activities and interaction with state, local, tribal and\n                      territorial and private sector partners, and DHS as a whole. As\n                      such, IP developed new metrics to capture the program\xe2\x80\x99s impact on\n                      securing the Nation\xe2\x80\x99s critical infrastructure. As noted in response\n                      to Recommendations 1, PSCD is using 180-day assessment follow-\n                      up interviews to capture data on how the PSAs, IP, and NPPD are\n                      buying down risk for the Nation\xe2\x80\x99s critical infrastructure\n                      owner/operators, and demonstrating progress in protecting critical\n                      infrastructure.\n\n                      This implementation data is being used to develop performance\n                      metrics for the PSA Program that demonstrate how PSA activities\n                      contributed to PSA Program, IP, NPPD, and DHS critical\n                      infrastructure protection and resilience goals and objectives, as\n                      articulated in the Quadrennial Homeland Security Review and\n                      Bottom Up Review.\n\n                      OIG Analysis: We consider IP\xe2\x80\x99s proposed actions responsive to\n                      Recommendation 7, which remains resolved and open. However,\n                      the proposed metrics as described in IP\xe2\x80\x99s response suggest\n                      outcome-based efforts that align more with guiding programmatic\n                      planning and measuring progress toward specific CIKR goals and\n                      objectives. Assessing and mitigating CIKR vulnerabilities is only\n                      one aspect of the PSA Program\xe2\x80\x99s partnership with stakeholders,\n                      and metrics based on such data do not capture the less tangible\n                      aspects of the program\xe2\x80\x99s successes or challenges. The intent of\n                      this recommendation is to develop qualitative measures, so that the\n                      program would be able to assess the value of those activities to\n                      stakeholders.\n\n                      Because the PSA Program builds relationships, soliciting feedback\n                      from public and private sector stakeholders on the quality of their\n                      interactions with the PSAs and the value of the program as a DHS\n                      resource is key in measuring the program\xe2\x80\x99s success. This\n                      recommendation remains open pending our receipt of metrics\n                      designed to capture qualitative measures, which assess the value of\n                      those activities to stakeholders.\n\n\n\n\nProtective Security Advisor Program Efforts to Build Effective Critical Infrastructure Partnerships: \n\n                                  Oil and Natural Gas Subsector \n\n\n                                              Page 44\n \n\n\x0cConclusion\n               Public and private stakeholders consider the PSA Program an effective\n               resource. Initially focused on establishing local partnerships to increase\n               resilience of CIKR against terrorism, PSA activities have expanded to\n               include all aspects of securing and protecting the nation\xe2\x80\x99s CIKR in an all-\n               hazards environment. As more innovative methods, techniques, and tools\n               are developed, the program is adapting accordingly to meet the needs of\n               DHS\xe2\x80\x99 partners and to maintain PSA Program staff capabilities. While\n               extensive stakeholder relationships and partnerships are developing at the\n               state, local, and community levels, more attention is necessary to\n               incorporate national level partners and stakeholders into PSA Program\n               strategic planning. Enhanced efforts to coordinate within DHS and to\n               collaborate with federal partners would increase the program\xe2\x80\x99s value to\n               stakeholders.\n\n\n\n\n   Protective Security Advisor Program Efforts to Build Effective Critical Infrastructure Partnerships: \n\n                                     Oil and Natural Gas Subsector \n\n\n                                                 Page 45\n \n\n\x0cAppendix A\nPurpose, Scope, and Methodology\nAppendix A:        Purpose, Scope, and Methodology\n\n\n\n\n                                                     We reviewed how the PSA Program supports DHS\xe2\x80\x99 mission to\n                                                     protect the nation\xe2\x80\x99s CIKR in the Oil and Natural Gas Subsector of\n                                                     the Energy Sector. We also reviewed the program\xe2\x80\x99s role in\n                                                     coordinating with subsector stakeholders to help strengthen critical\n                                                     infrastructure protection capabilities, identify vulnerabilities, and\n                                                     reduce risks. We did not include an evaluation of the Electricity\n                                                     Subsector in this review. Our objectives were to determine:\n\n                                                        \xe2\x80\xa2\t to what extent PSAs are aligned to support NPPD\xe2\x80\x99s mission\n                                                           and DHS\xe2\x80\x99 overall critical infrastructure protection strategy;\n                                                        \xe2\x80\xa2\t the metrics that the PSA Program uses to assess its own\n                                                           performance;\n                                                        \xe2\x80\xa2\t whether adequate guidance and resources have been \n\n                                                           provided to support program growth; \n\n                                                        \xe2\x80\xa2\t the methods that PSAs use to coordinate with and assist oil\n                                                           and natural gas stakeholders in identifying, prioritizing,\n                                                           assessing, and protecting critical infrastructure and key\n                                                           resources in this subsector; and\n                                                        \xe2\x80\xa2\t how oil and natural gas stakeholders use the work\n                                                           performed by PSAs to help strengthen the subsector\xe2\x80\x99s\n                                                           critical infrastructure protection capabilities, identify\n                                                           vulnerabilities, and reduce risks.\n\n                                                     We reviewed relevant legislation, regulations, directives, policies,\n                                                     strategic plans, annual reports, and collected program documents,\n                                                     including budgets, official guidance documents and manuals,\n                                                     guidelines, operating procedures, and position descriptions. We\n                                                     also studied work previously performed by our office and the\n                                                     Government Accountability Office in this and associated areas.\n\n                                                     In Washington, D.C., we interviewed PSA Program officials; other\n                                                     officials within IP\xe2\x80\x99s Protective Security Coordination,\n                                                     Infrastructure Information Collection, and Partnership and\n                                                     Outreach Divisions; as well as officials in TSA\xe2\x80\x99s Pipeline Security\n                                                     Division. We also interviewed DOE officials from the Office of\n                                                     Fossil Energy and Office of Electricity Delivery and Energy\n                                                     Reliability\xe2\x80\x99s Infrastructure Security and Energy Restoration\n                                                     Division.\n\n                                                     We conducted fieldwork in locations where we could obtain\n                                                     multiple Oil and Natural Gas Subsector stakeholder perspectives.\n                                                     We visited New Orleans and Baton Rouge, Louisiana; Oklahoma\n                                                     City, Oklahoma; Austin and Dallas, Texas; New York City and\n\n\n              Protective Security Advisor Program Efforts to Build Effective Critical Infrastructure Partnerships: \n\n                                                Oil and Natural Gas Subsector \n\n\n                                                                         Page 46\n \n\n\x0cAppendix A\nPurpose, Scope, and Methodology\n\n                          Albany, New York; Trenton, New Jersey; and Sacramento and Los\n                          Angeles, California.\n\n                          In each state visited, we interviewed PSAs; state and local\n                          homeland security and emergency management officials; oil and\n                          natural gas industry facility and security managers; and industry\n                          and trade association representatives. Our stakeholder sample\n                          included officials who had worked with one or more PSAs\n                          regularly, periodically, and only a few times. We also spoke with\n                          stakeholders who had never worked with a PSA, as well as\n                          stakeholders unaware of the PSA Program.\n\n                          We conducted telephone interviews with stakeholders in Corpus\n                          Christi and Houston, Texas; Salt Lake City, Utah; and Washington,\n                          D.C. We also interviewed the IP Regional Directors in Atlanta,\n                          Georgia and Salt Lake City, Utah, as well as the PSA in\n                          Anchorage, Alaska by telephone.\n\n                          PSAs, state and local emergency management and homeland\n                          security officials we interviewed are involved in all 18 CIKR\n                          sectors. Therefore, stakeholder perspectives describe PSA work in\n                          all sectors represented in specific jurisdictions and districts,\n                          although examples provided are specific to the Oil and Natural Gas\n                          Subsector.\n\n                          We performed our fieldwork between November 2009 and April\n                          2010. We initiated this review under the authority of the Inspector\n                          General Act of 1978, as amended, and according to the Quality\n                          Standards for Inspections, issued by the President\xe2\x80\x99s Council on\n                          Integrity and Efficiency.\n\n\n\n\n    Protective Security Advisor Program Efforts to Build Effective Critical Infrastructure Partnerships: \n\n                                      Oil and Natural Gas Subsector \n\n\n                                                  Page 47\n \n\n\x0cAppendix B\nManagement Comments to the Draft Report\nAppendix B:          Management Comments to the Draft\nReport\n\n\n\n\n                                                                                               UfJiL\'c\' of/lro: UIIIII/f St\'Cfl\'tUf}\'\n                                                                                               l\\\'lIIfl/lmll\xc2\xb7(/J/.\'Ctiol. IIml Pf"Xflllllj Difec/llmlc\'\n                                                                                                I.S.lkll:lrtnttnl o(II,,",,:l:Inll ~\xc2\xaburit~\n                                                                                                \\\\ #I~hin~t"n, Il( :!OS:!~\n\n\n\n                                                                                               Homeland\n                                                                                               Security\n                                                            OCT 22 2010\n              MEMORANDUM FOR:                           Richard L. Skinner\n                                                        Inspector Genernl\n\n              FROM:                                     Rand Beers      /J   A\n                                                        Under Secrctary ij V I\n\n              SUI3JECT:                                 NPPD Responsc to the Department ofllomcland Security\'s omc:~\n                                                        or Inspcctor Gcneral draft rcport, Protecth\'e Security Advisor\n                                                        Program Efforts {() Build EffcC:live Criticallll/rastrllcture\n                                                        Pal\'fllCrships: Oil and Natural Gas SubsecfOr (OIG\xc2\xb709\xc2\xb7203\xc2\xb7ISP\xc2\xb7\n                                                        NPI\'D)\n\n              This memorandum responds to the scven rccommendations outlined in the August 2010\n              Department or Homeland Securily\'s Orticc or Inspcctor Gcncral (DIG) report Protecfh\'e\n              Security Advisor Program EffiJrls to Build J:.llecli\\\'l! Critical Infrastructure Partnerships: Oil a"d\n              Natural Gas Subsector. The rccommcndations were all direcled to the Nalional Protection and\n              Programs Directorate\'s (NPPD\'s) Office of Infrastntcturc Protection (IV) I>rotective Security\n              Coordination Division (PSCD). which operates the Protective Security Advisor (PSA) Program.\n\n              Recommcndation #1: Develop a process to lruck and record voluntary asscssmcllI\n              recomlllcndmion implcmcTlIation, and lISC this information to guide fi.nurc PSA Program\n              recommcndations, rcsource crrorts. and planning.\n\n              Response: NPPDIlP concurs wilh this recommendatioll, and has alrcady established proccsscs\n              and mctrics to trad vollllllary implementation or security and resilicnce improvcments as a\n              restlll or IP assessments. Thc PSA Program has implemented 180-day rollow-up interviews thai\n              arc spccifically designcd 10 capture infonnatiol1 on implemcntation or risk reduction activities\n              following PSA-conducted Enhanced Criticallnrrastructure Protection (ECIP) security survcys.\n              As racilitics recci\\!e subsequent ECIP surveys. more data can be collected that will infoml Ihe\n              change cfTecled by lhe PSA Program. \'111C 180\xc2\xb7day follow-up currently identifies improvemcnts\n              madc or implcmented to physical sccurily. security rorce. sceurily managemcnt, infomlation\n              sharing, protcctive measures. and dependencies.\n\n              In Junc 201 0, llsing the EelP S~ClJrjty survcy and 180\xc2\xb7day lollow-up data, PSCD analyzed ror\n              the firsttirnc the implementation ofvolulltary protective measures at facilities receiving ECIP\n              visits. or lhe 473 facilities. 234 (49%) made improvcments during the 180-day follow-up\n              period. Those 234 l\'acilities made a tOlal of 497 improvcmcnts across information sharing,\n              securilY managcmcnt, security force. physical security, and dependencics. This mctric Wi.lS Ihe\n              first ever produced demonstraling the impnct of the PSAs and ECIP security surveys. Based 011\n\n\n\n\n                Protective Security Advisor Program Efforts to Build Effective Critical Infrastructure Partnerships: \n\n                                                  Oil and Natural Gas Subsector \n\n\n                                                                         Page 48\n \n\n\x0cAppendix B\nManagement Comments to the Draft Report\n\n\n                                                                                                      2\n\n\n   this initial analysis of implementation data, IP is developing new performance melrics that will\n   reflect implementation of improvements to security and resilience as a result of voluntary IP\n   assessments. These new metrics are in the process of being approved by NPPD.\n\n   This 180-day follow-up process to capture implementation dala is also being incorporated into\n   other IP assessments, namely the Site Assistance Visit (SAV}, a facility vulnerability assessment\n   coordinated by the PSAs and conducted by IPIPSCD\'s vulnerability assessment teams. The\n   SAV is a more in-depth assessment that builds on the EelP security survey data that will capture\n   and report on improvements related to facility threats. options for consideration to mitigate\n   vulnerabilities. commendable actions. and resilience in addition to the ECIP security survey\n   categories of infonnation sharing, security management, security force, physical security, and\n   dependencies.\n\n   Certain nationally significant critical infrastructure facilities receive (or are offered) EClP\n   security surveys every year. Additionally, ECIP security surveys are used to identify facilities\n   that may benefit from the more in-depth SAY. In this manner, SAYs are conducted as follow-\n   ups to ECIP security surveys. Through the ISO-day follow-up process and subsequent\n   assessments of those same facilities, IP will be able to capture and track improvements over\n   time, providing a better understanding of how the PSA Program, IP, and NPPD are buying down\n   risk for the Nation\'s critical infrastructure. The facility security and resilience data, and\n   voluntary implementation data captured by these IP assessments will allow the Department of\n   Homeland Security (DHS) to evaluate the national protection posture of critical infrastructure,\n   and infonn NPPD,IP, and PSA Program goals, future planning efforts, and resource allocations.\n\n   Recommendation #2: Develop a mission statement for the PSA Program, and communicate the\n   mission within DHS, to public and private stakeholders, SSAs [Sector Specific Agencies], and\n   other Federal CIKR [Critical Infrastructure and Key Resources] partners.\n\n   Response: NPPDIIP concurs with the recommendation. The PSAs do have a clearly defined\n   mission statement, which is described in the PSA Program Management Plan. The PSA\'s\n   mission statement is 10 "represent DHS and IP in local communities throughout the United\n   States."\n\n   The mission of the PSAs is to work with State Homeland Security Advisors\' (HSAs) offices and\n   their security partners throughout the region, serving as liaisons between DHS; the private sector;\n   and Federal, State, territorial,local, and tribal entities and acting as the DHS onsite critical\n   infrastructure and vulnerability assessment specialists. During natural disasters and contingency\n   events, PSAs work in State and local emergency operations centers and provide expertise and\n   support to the IP Infrastructure Liaison Cell, working to support the Principal Federal Official\n   and Federal Coordinating Officer responsible for domestic incident management. Additionally,\n   PSAs provide support to officials responsible for special events planning and exercises, and\n   provide real-time infonnation on facility significance and protective measures to facility owners\n   and operators and State and local representatives.\n\n   PSAs are able to articulate the program\'s mission to stakeholders, and the stakeholders\n   understand the impact and value that it has for them individually; however, the stakeholders do\n\n\n\n\n    Protective Security Advisor Program Efforts to Build Effective Critical Infrastructure Partnerships: \n\n                                      Oil and Natural Gas Subsector \n\n\n                                                  Page 49\n \n\n\x0cAppendix B\nManagement Comments to the Draft Report\n\n                                                                                                       J\n\n\n  not perceive the broader. national level impact of coordinated PSA activities across the country.\n  The issue is not the lack of a mission statement, but rather the messaging of this mission to\n  stakeholders such that they understand the national level purpose and mission of PSA activities\n  and how they link with those of other Federal agencies and programs with similar\n   responsibilities. The PSA Program will better communicate to stakeholders the PSA Program\'s\n   intended results and overall mission.\n\n   Recommendation #3: Develop achievable PSA Program milestones. based on results-oriented\n   goals. Ooals and objectives should align with and influence achieving DIP, NPPD, and DHS\n   CIKR goals and objectives.\n\n   Response: NPPDflP non-concurs with the recommendation. The PSA Program has reached a\n   degree of operational malUrity where it is now no longer focused on mile5tones, which are\n   typically related to program establishment (e.g., creating an IPIPSA presence in every State).\n   The PSA Program has matured and has developed performance metrics to measuTC the results of\n   its efforts (see Recommendation #7 for more further detail on these metries), which are aligned\n   with and influence achieving IP. NPPD. and DHS goals and objectives.\n\n   Recommendation #4: Inventory regulatory and voluntary assessments, reviews. and resources\n   of tribal, local, State, and Federal governmental entities that affect Oil and Natural Gas Subsector\n   stakeholders, and determine where the PSA Program can leveragc efficiencies and enhance\n   coordination.\n\n   Response: NPPDflP concurs with the recommendation. IP agrecs that a comprehensive\n   inventory of these items would be beneficial to provide to the PSAs to improve their sector\n   knowledge; however, development of such an inventory is not the responsibility of the PSA\n   Program or PSCD. Responsibility for maintaining this level of awareness of relevant\n   assessments, reviews, and resources affecting Sectors lies with the Sector-Specific Agencies\n   (SSAs). Sector Specialists from IP\'s Partnership and Outreach Division (POD) will work with\n   the Department of Energy (DOE). the SSA for the Oil and Natural Gas Subsector,to create a\n   consolidated inventory of the regulatory and voluntary assessments, reviews, and resources that\n   affect Oil and Natural Gas Subsector stakeholders. The PSA Program will support POD in this\n   endeavor to create the inventory. and once completed, will determine where the PSA Program\n   can leverage efficiencies and enhance coordination. Where other assessments. reviews, and\n   resources are already known to the PSA Program, the Program docs coordinate with relevant\n   stakeholders and work to create efficiencies.\n\n   Recommendation #5: Establish formal coordination and collaboration procedures with DOE to\n   facilitate information exchange and ensure that DHS and PSA Program field efforts align and\n   support DOE as the SSA for the Oil and Natural Gas Subsector.\n\n   Response: NPPDnp non-eoncurs with the recommendation as current efforts meet the intent of\n   the recommendation. Formal coordination and collaboration procedures between IP and all\n   SSAs are already established. IP coordinates with all SSAs directly and at meetings of\n   individual Government Coordinating Councils (GCes), the Federal Senior Leadership Council,\n   and their working groups. The PSA Program follows the existing procedures to coordinate and\n\n\n\n\n    Protective Security Advisor Program Efforts to Build Effective Critical Infrastructure Partnerships: \n\n                                      Oil and Natural Gas Subsector \n\n\n                                                  Page 50\n \n\n\x0cAppendix B\nManagement Comments to the Draft Report\n\n                                                                                                     4\n\n\n\n   collaborate with the SSAs through IP/POD and IP\'s Seclor-Specific Agency Executive\n   Management Office (SSA EMO).\n\n   DOE in particular has been engaged by PSCD and PSA Program officials to participate in a\n   mullilude ofefforts. In addition to the standard cbmmunication channels described in the\n   previous paragraph, DOE personnel responsible for SSA functions have established relationships\n   and points of contact within PSCD and the PSA Program that afford them direct access to rapidly\n   communicate and address issues that may arise. The PSA Program provides DOE with briefings\n   and information on PSA efforts, and will continue to do so.\n\n   As an example of collaboration efforts, the PSA Program is working with all SSAs to calibrate\n   the weights and scores afthe EelP security surveys (0 address the unique characteristics ofeach\n   sector, which will enhance the utility aftbe EelP surveys and Dashboards to owners and\n   operators by enabling more accurate comparisons of like facilities. In August 2010, DOE\n   personnel met with PSA Program personnel to adjust ECIP security survey scores and weights to\n   address the unique characteristics of the Energy Sector. its subscctors, segments. and assets.\n   With the assistance of the SSAs. DHS will be able to providc a more completc picture of the\n   current posture of facilities within a sector as well as across the sct:tors. The PSA Program also\n   regularly coordinates with SSAs by providing nOlification of upcoming ECIP visits. and\n   providing ECIP security survey data.\n\n   Recommendation 116: Establish routine PSA Program leadership involvement in Oil and Natural\n   Gas Subsector SCC meetings to obtain SCC information during project development and to\n   ensure program activities and initiatives align with sector needs and sector-specific plans.\n\n   Rnponu: NPPD/IP concurs with the recommendation. Fonnal coordination and collaboration\n   procedures between IP and the Sector Coordinating Councils (SCC) are already established\n   through POD, who is the main conduit for interaction between the SCCs and IP. IP leadership,\n   including PSA Program management stafT, routinely attends Energy Sector and Subsector\n   Critical Infrastructure Partnership Advisory Council (CIPAC) meetings and conference calls\n   when invited to discuss IP activities. IP leadership also attends Oil and Natural Gas Subsector\n   SCC meetings. when invited, although the SCC has historically preferred to reserve such\n   discussions for the CIPAC meetings. POD will continue to elicit specific concerns and needs of\n   the Oil and Natural Gas Subsector SCC, and ensure they are communicated to IP and DHS\n   entities. including the PSA Program. to facilitate improved activity coordination and\n   collaboration. PSCD and the PSA Program will continue to work with critical infrastructure\n   partners. including the SCCs, to ensure that advances in critical infrastruclure protection tools\n   and methodologies align with sector-level needs and national priorities.\n\n   Recommendation 117: Define qualitative metrics that account for the extent to which PSA\n   activities contribute to achieving PSA Program, IP. NPPD, and DHS CIKR protection goals and\n   objectives.\n\n   Response: NPPDIIP concurs with the rerommendation. Understanding that the PSA Program\n   has grown and matured since its inception to become a focal point for IP activities and\n   interaction with State, local, tribal and territorial and private sector partners, and DHS as a\n\n\n\n\n   Protective Security Advisor Program Efforts to Build Effective Critical Infrastructure Partnerships: \n\n                                     Oil and Natural Gas Subsector \n\n\n                                                 Page 51\n \n\n\x0cAppendix B\nManagement Comments to the Draft Report\n\n\n                                                                                                      5\n\n\n   whole, new metncs have been developed 10 better capture the Program\'s impact on securing the\n   Nation\'s critical infrastructure. As noted in response 10 recommendations #1, PSCD is using\n   ISO-day assessment follow-up interviews to capture data on how the PSAs, IP, and NPPD are\n   "buying down risk" for the Nation\'s critical infrastructure owners and operators, and\n   demonstrating progress in protecting critical infrastructure. This implementation data is being\n   used 10 develop perfonnance mclrics for the PSA Program that demonstrate how PSA activities\n   contributed to PSA Program.IP, NPPD. and DHS critical infrastructure protection and resilience\n   goals and objectives, as articulated in the Quadrennial Homeland Security Review and Bottom\n   Up Review.\n\n   Other Report Findings:\n\n   In addition to the responses to the seven recommendations in the draft report, IP/PSCD has the\n   following comments about other audit findings that are not expressly included in the\n   recommendations.\n\n   With regard to the report\'s finding that "[sJhould a current PSA leave, stakeholders recommend a\n   period of overlap between the cUlTent PSA and the new PSA to help ensure a smooth transition,"\n   it is the position of IP/PSCD that this is not possible under the Federal hiring process and Office\n   of Personnel Management regulations. IP/PSCD has been fortunate to have an uncommonly\n   high retention rate for PSAs. However, to address the issue of transition, the PSA Program has\n   established procedures to mitigate any possible lack of coverage that could be experienced by the\n   departure of a PSA. When a PSA leaves, the PSA Program directs another PSA (or multiple\n   PSAs) from neighboring districts to assume responsibility for the affected district. The new PSA\n   is introduced to stakeholders prior to the departure of the outgoing PSA in order to familiarize\n   stakeholders with the new individual, fonnalize the transition of responsibility, and ensure\n   continuity ofefTort. The IP Regional Director is also typically involved in facilitating this\n   transition. This new PSA covers the district of the outgoing PSA, in addition to his own, until\n   the outgoing PSA is pennanently replaced. Once the pennanent replacement is hired or\n   identified, the pennanent replacement is transitioned into the district in the same fashion.\n\n   The report also presented the perception that the PSAs did not effectively assist States in the\n   development of annuallisls of prioritized CIKR:\n\n   "Some state officials also expressed the need for better communication between DHS\n   headquarters and PSAs, specifically regarding the submission ofCIKR for DHS\' critical\n   asset lisls. While the PSAs ofTer states assistance in compiling the lists, the PSAs are often\n   unable to explain, or identify an IP representative who can explain, the criteria for why some\n   assels are included on the Levell/Level 2 list, and why some are not. Concerning additional\n   support needed from PSAs, some stales want 10 use the PSAs more for stale CIKR data call\n   submissions to DHS and for assel prioritization."\n\n   IP/PSCD vigorously disputes this assertion, as this is an instance of the States misunderstanding\n   the role of the PSAs in the CIKR dala call. In this case the States are requesting infonnation of\n   the PSAs that is outside of the scope of their responsibility and authority to provide. The role of\n   the PSA in the CIKR data call is to assist States in compiling the lists by helping State personnel\n\n\n\n\n   Protective Security Advisor Program Efforts to Build Effective Critical Infrastructure Partnerships: \n\n                                     Oil and Natural Gas Subsector \n\n\n                                                 Page 52\n \n\n\x0cAppendix B\nManagement Comments to the Draft Report\n\n                                                                                                          6\n\n\n   identify infrastructure critical to thal State, and to verify facility data (e.g., physical address.\n   gcospalial coordinates, name). PSAs are nol involved in the establishment of the criteria, or the\n   determinations to include or not facilities on the final prioritized list of critical infrastructure, as\n   this is the function of IP\'g Inrraslructurc Analysis and Strategy Division (lAS D). PSAs do not\n   participate in those analyses or make those decisions, as it is beyond the scope of their\n   responsibilities. PSAs can, and do. facilitate Siaies\' questions and requests 10 the appropriate IP\n   representatives to provide the requested explanations when possible. IP is aware of these issues\n   related to the dala call, and is actively working 10 offer more direct support to the States to\n   improve coordination, eliminate confusion over the role of the PSAs, and reduce the burden on\n   State personnel. For the recent FY 2011 CIKR data call, IP and IASD made more personnel and\n   resources available to Stales to assist in the list development process and to answer questions\n   regarding the criteria and selection decisions. This increased support included:\n\n       \xe2\x80\xa2   Dedicated IP regional risk analysts and subject mailer experts to answer questions to\n           supplement the support provided by the PSAs;\n       \xe2\x80\xa2   In-person data call assistance visits to the States (all States and territories were offered\n           the opportunity for in-person visits to assist with the identification of qualifying\n           infrastructure; 42 were Visited);\n           Teleconferences with Homeland Security Advisors and critical infrastructure protection\n           program directors to discuss preliminary list dcterminations;\n           Online Webinars, guidance documents, newsletters; and\n           Dissemination of a lessons Icarned documcnt providing examples of successful\n           nominations to help partners identify similar infrastructure and improve justification.\n\n   The application of these additional resources has provided States with direct access to personnel\n   and resources that will address the critical infrastructure list\xc2\xb7related issues identified in this\n   report. The increase in direct support to States from IASD should alleviate the inequitable\n   situation wherein PSAs are expected to provide support beyond their capabilities and assigned\n   rolcs and responsibilities.\n\n   NPPD/IP is pleased to see that the OIG found that "(pJublic and private stakeholders confirm\n   that the Protective Security Advisor Program is an effective resource," and that "the program is\n   adapting accordingly to meet the needs of department partners and to maintain program stafT\n   capabilities." These findings support and are consistent with a recent report by the State, Local,\n   Tribal, and Territorial Government Coordinating Council (SLITGcq, entitled "Aligning\n   Federal CIKR Capabilities to Meet Needs in the Field," datcd May 2010. The value orthe PSA\n   program was specifically cited in the SLlTGCC Rcport, which states, "The joint visits at CIKR\n   sitcs by PSAs and the SLIT representatives in that jurisdiction have improved the ability to\n   collaborate between levels of government and with CIKR owners and operators." Additionally,\n   the report states:\n\n    "The PSA Program is successful for three key reasons: it was established with its\n    stakeholders in mind, PSAs contribute valuablc tools to the field, and the program has\n    resulted in increased partnership across the country. The following aspects are particularly\n    effective:\n\n\n\n\n   Protective Security Advisor Program Efforts to Build Effective Critical Infrastructure Partnerships: \n\n                                     Oil and Natural Gas Subsector \n\n\n                                                    Page 53\n \n\n\x0cAppendix B\nManagement Comments to the Draft Report\n\n                                                                                                     7\n\n\n\n          \xe2\x80\xa2   The program was developed in consultation with SLIT governments.\n          \xe2\x80\xa2   PSA have the ability to provide products and tools of significant value to SLIT\n              governments and CIKR owners and operators.\n          \xe2\x80\xa2   A non-regulatory approach governs PSA activities.\n          \xe2\x80\xa2   The hard work ofPSAs in the field has yielded improved partnerships."\n\n   We extend our thanks for the opportunity to work with the Office of Inspector General during\n   this engagement. The Office of Inspeetor General\'s independent analysis ofprogram\n   perfonnance greatly benefits NPPO\'s ability to improve its activities and refine its programs.\n   We look forward to continuing this partnership in the future.\n\n   Should you have any qucstions, please contact Michael McPoland, Director, NPPD GAO-OIG\n   Liaison Office at (703) 235-2175.\n\n\n\n\n    Protective Security Advisor Program Efforts to Build Effective Critical Infrastructure Partnerships: \n\n                                      Oil and Natural Gas Subsector \n\n\n                                                  Page 54\n \n\n\x0cAppendix C\nSectors, Subsectors, and Sector-Specific Agencies\nAppendix C:        Sectors, Subsectors, and Sector-Specific Agencies\n\n\n\n\nCIKR Sector (Subsector)                                                Sector-Specific Agency         Profile\n Banking and Finance                                                   Department of the Treasury       Financial institutions including banks, insurers,\n                                                                                                        securities brokers/dealers, and investment\n                                                                                                        companies\n Chemical                                                              DHS/Office of Infrastructure     Facilities converting raw materials into chemical\n  \xe2\x80\xa2 Basic Chemicals                                                    Protection                       products, or using, storing, packaging, transporting,\n  \xe2\x80\xa2 Specialty Chemicals                                                                                 delivering, marketing, recycling, and disposing of the\n  \xe2\x80\xa2 Agricultural Chemicals                                                                              chemicals; including manufacturing plants, transport\n                                                                                                        systems, distribution systems (storage, stockpile,\n  \xe2\x80\xa2 Pharmaceuticals\n                                                                                                        and supply areas), and research and educational\n  \xe2\x80\xa2 Consumer Products                                                                                   institutions\n Commercial Facilities                                                 DHS/Office of Infrastructure     Office/apartment buildings, condominiums, mixed-\n  \xe2\x80\xa2 Real Estate                                                        Protection                       use facilities, self-storage\n  \xe2\x80\xa2 Public Assembly                                                                                     Arenas, stadiums, aquariums, zoos, museums,\n  \xe2\x80\xa2 Sports Leagues                                                                                      convention centers\n                                                                                                        Professional sports leagues and federations\n  \xe2\x80\xa2 Gaming\n                                                                                                        Casinos\n  \xe2\x80\xa2 Lodging                                                                                             Hotels, motels, conference centers\n  \xe2\x80\xa2 Outdoor Events                                                                                      Theme and amusement parks, fairs, campgrounds,\n  \xe2\x80\xa2 Entertainment & Media                                                                               parades\n  \xe2\x80\xa2 Retail                                                                                              Motion picture studios, broadcast media\n                                                                                                        Retail centers and districts, shopping malls\n Communications                                                        DHS/Office of Cybersecurity      Broadcasting, cable, wireline industries, and\n                                                                       & Communications                 networks supporting the Internet; using terrestrial,\n                                                                                                        satellite, and wireless transmission systems\n Critical Manufacturing                                                DHS/Office of Infrastructure     Facilities producing, processing, or converting:\n   \xe2\x80\xa2 Primary Metal                                                     Protection                       Iron, steel, ferro alloys, and aluminum\n   \xe2\x80\xa2 Machinery                                                                                          Engines, turbines, and generators\n   \xe2\x80\xa2 Electrical Equipment                                                                               Electrical transformers\n                                                                                                        Motors, switchboard apparatus, relays, and industrial\n   \xe2\x80\xa2 Appliances & Components\n                                                                                                        controls\n   \xe2\x80\xa2 Transportation Equipment                                                                           Motor vehicles, aerospace products, and railroad\n                                                                                                        rolling stock\n Dams                                                                  DHS/Office of Infrastructure     Water retention and/or control facilities, including\n                                                                       Protection                       dams, hydropower plants, navigation locks, levees,\n                                                                                                        hurricane barriers, and industrial waste\n                                                                                                        impoundments\n Defense Industrial Base                                               Department of Defense            Entities performing military-related work, including\n                                                                                                        researching, developing, designing, producing,\n                                                                                                        delivering, and maintaining military weapons\n                                                                                                        systems, subsystems, components, or parts\n Emergency Services                                                    DHS/Office of Infrastructure     System of elements for saving lives, protecting\n                                                                       Protection                       property and the environment, assisting\n                                                                                                        communities impacted by disasters (natural or\n                                                                                                        malevolent), and aiding recovery from emergency\n                                                                                                        situations\n                                                                                                        [Primary protector for all other CIKR]\n Energy                                                                Department of Energy             Generation, transmission, and distribution of electric\n  \xe2\x80\xa2 Electricity                                                                                         power, except for commercial nuclear power\n  \xe2\x80\xa2 Oil & Natural Gas                                                                                   facilities\n                                                                                                        Production, refining, storage, and distribution of oil\n                                                                                                        and natural gas\n\n\n\n\n              Protective Security Advisor Program Efforts to Build Effective Critical Infrastructure Partnerships: \n\n                                                Oil and Natural Gas Subsector \n\n\n                                                                                           Page 55\n \n\n\x0cAppendix C\nSectors, Subsectors, and Sector-Specific Agencies\n\nCIKR Sector (Subsector)                  Sector-Specific Agency               Profile\nFood and Agriculture                     Department of Agriculture -          Network of systems of production, processing, and\n \xe2\x80\xa2 Producers/Plant                       (Meat, poultry, and egg              delivery including privately owned farms, ranches,\n                                         products; production                 and groves; livestock transport areas, and\n \xe2\x80\xa2 Producers/Animal\n                                         agriculture)                         slaughterhouses; crop production and food\n \xe2\x80\xa2 Processors/Manufacturers\n                                                                              processing facilities; supply chains for feed, animals,\n \xe2\x80\xa2 Restaurant/Food Service               Food & Drug Administration -\n                                                                              seed, and fertilizers; institutional food services, and\n \xe2\x80\xa2 Retail                                (Food other than meat,\n                                         poultry, and egg products;\n                                                                              grocery stores; domestic and imported food supply\n \xe2\x80\xa2 Warehousing/Logistics                                                      safety programs; food assistance programs, and\n                                         food safety and defense)\n \xe2\x80\xa2 Agricultural Production                                                    food distribution mechanisms (transportation and\n   Inputs & Services                                                          warehouses)\nGovernment Facilities                    DHS/Federal Protective               Buildings owned or leased by Federal, state,\n \xe2\x80\xa2 Educational Facilities                Service                              territorial, local, or tribal governments, including\n                                                                              office buildings, embassies, courthouses, and\n                                         Department of Education -            national laboratories\n                                         (Educational Facilities)             All public and private K-12 schools; public and\n                                                                              private higher education institutions, and vocational\n                                                                              and trade schools\nHealthcare and Public Health             Department of Health &               Network of systems to prevent disease and\n                                         Human Services                       disability, treat patients, foster public health, and\n                                                                              respond to public health emergencies including\n                                                                              hospitals, laboratories, blood banks, and medical\n                                                                              supply manufacturing and distribution\nInformation Technology                   DHS/Office of Cybersecurity          Virtual and distributed functions producing and\n                                         & Communications                     providing hardware, software, IT systems and\n                                                                              services, and the Internet\nNational Monuments and Icons             Department of the Interior           Monuments, physical structures, or sites widely\n                                                                              recognized to represent the nation\'s heritage,\n                                                                              traditions, or values, or of important national\n                                                                              cultural, religious, historical, or political significance\nNuclear                                  DHS/Office of Infrastructure         Commercial nuclear power plants; nuclear and\n                                         Protection                           radiological materials used in medical, industrial,\n                                                                              and academic settings; and the transportation,\n                                                                              storage, and disposal of nuclear materials and\n                                                                              radioactive waste\nPostal and Shipping                      DHS/Transportation Security          Providers receiving, processing, transporting, and\n                                         Administration                       distributing letters and parcels, including high-\n                                                                              volume automated processing facilities; collection,\n                                                                              acceptance, and retail operations; courier services;\n                                                                              chartered air delivery services; and information and\n                                                                              communications networks\nTransportation Systems                   Department of                        Aircraft, commercial airports, and heliports\n  \xe2\x80\xa2 Aviation                             Transportation                       Railroads, track, freight cars, and locomotives\n  \xe2\x80\xa2 Freight Rail                                                              Roadways, signature bridges, and tunnels\n                                         DHS/U.S. Coast Guard -               Transit buses, trolleybuses, ferryboats, subways, light\n  \xe2\x80\xa2 Highway                              (Maritime)                           rail, and cable cars\n  \xe2\x80\xa2 Mass Transit\n                                         DHS/Transportation Security          Water-faring vessels, coastline, ports, navigable\n  \xe2\x80\xa2 Maritime                                                                  waterways, and intermodal landside connections\n                                         Administration -\n  \xe2\x80\xa2 Pipeline                                                                  Networks of natural gas, hazardous liquids, and\n                                         (Pipeline)\n                                                                              chemical pipelines\nWater                                    Environmental Protection             Public drinking water systems and wastewater\n                                         Agency                               systems (sanitary sewage treatment)\n\n     Sources: National Infrastructure Protection Plan, February 2009; 2009 Critical Infrastructure Partnership Advisory Council Annual Report;\n \n\n                                    The National Strategy for the Physical Protection of Critical Infrastructures and Key Assets, February 2003;\n \n\n                             DHS CIKR Resource Center (http://training.fema.gov/EMIWeb/IS/IS860a/CIKR/sectorMenu.htm, accessed 4/24/10).\n \n\n\n\n\n\n        Protective Security Advisor Program Efforts to Build Effective Critical Infrastructure Partnerships:\n                                          Oil and Natural Gas Subsector\n\n                                                                  Page 56\n\x0cAppendix D\nPSA Program Organization Chart\nAppendix D:        PSA Program Organization Chart\n\n\n\n\n              Protective Security Advisor Program Efforts to Build Effective Critical Infrastructure Partnerships: \n\n                                                Oil and Natural Gas Subsector \n\n\n                                                            Page 57\n \n\n\x0cAppendix E\nEnergy Government Coordinating Council Membership\nAppendix E:        Energy Government Coordinating Council Membership\n\n\n\n\n                 U.S. Department of Energy\n                      \xe2\x80\xa2\t Bonneville Power Administration\n                      \xe2\x80\xa2\t Office of Fossil Energy\n                      \xe2\x80\xa2\t Office of Electricity Delivery and Energy Reliability, Office of\n                         Infrastructure Security and Energy Restoration\n                 U.S. Department of Homeland Security\n                      \xe2\x80\xa2\t National Cyber Security Division\n                      \xe2\x80\xa2\t National Infrastructure Protection Plan Program Management Office\n                      \xe2\x80\xa2\t Office of Infrastructure Protection\n                      \xe2\x80\xa2\t Office of Infrastructure Protection, Sector Specific Agency Executive\n                         Management Office, Chemical Branch\n                      \xe2\x80\xa2\t Office of Infrastructure Protection, Sector Specific Agency Executive\n                         Management Office, Dams Branch\n                      \xe2\x80\xa2\t Science & Technology Directorate\n                      \xe2\x80\xa2\t Transportation Security Administration\n                      \xe2\x80\xa2\t Transportation Security Administration, Pipeline Security Division\n                      \xe2\x80\xa2 U.S. Coast Guard\n                 Environmental Protection Agency\n                 Federal Bureau of Investigation\n                 Federal Energy Regulatory Commission\n                 National Association of Regulatory Utility Commissioners\n                 National Association of State Energy Officials\n                 Natural Resources Canada\n                 State, Local, Tribal, and Territorial Government Coordinating Council\n                 Tennessee Valley Authority\n                 U.S. Army Corps of Engineers\n                 U.S. Committee on the Marine Transportation System\n                 U.S. Department of Agriculture\n                 U.S. Department of Defense\n                 U.S. Department of the Interior, Minerals Management Service\n                 U.S. Department of the Treasury\n                 U.S. Department of Transportation\n                      \xe2\x80\xa2\t Maritime Administration\n                      \xe2\x80\xa2 Pipeline and Hazardous Materials Safety Administration\n                 Western Area Power Administration\n\n\n\n\n              Protective Security Advisor Program Efforts to Build Effective Critical Infrastructure Partnerships:\n                                                Oil and Natural Gas Subsector \n\n\n                                                                       Page 58\n \n\n\x0cAppendix F\nOil and Natural Gas Sector Coordinating Council Membership\nAppendix F:        Oil and Natural Gas Sector Coordinating Council Membership\n\n\n\n\n                 AGL Resources, Inc. \n\n                 American Exploration & Production Council \n\n                 American Gas Association \n\n                 American Petroleum Institute \n\n                 American Public Gas Association \n\n                 Anadarko Petroleum Corporation \n\n                 Apache Corporation \n\n                 Association of Oil Pipe Lines \n\n                 BP \n\n                 Canadian Association of Petroleum Producers \n\n                 Canadian Energy Pipeline Association \n\n                 Center for Liquified Natural Gas \n\n                 Collier, Shannon, Scott \n\n                 Colonial Pipeline \n\n                 ConocoPhillips \n\n                 Dominion Resources, Inc. \n\n                 Duke Energy \n\n                 Edison Chouest Offshore, LLC \n\n                 Enbridge \n\n                 Energy Security Council \n\n                 ExxonMobil \n\n                 Flint Hills Resources \n\n                 Gas Processors Association \n\n                 Genesis Energy, Inc. \n\n                 Independent Petroleum Association of America \n\n                 International Association of Drilling Contractors \n\n                 International Liquid Terminals Association \n\n                 Interstate Natural Gas Association of America \n\n                 Kinder-Morgan Pipelines \n\n                 Leffler Energy \n\n                 Marathon Petroleum Company \n\n                 MSW Consulting, LLC \n\n                 National Association of Convenience Stores \n\n                 National Ocean Industries Association \n\n                 National Petrochemical & Refiners Association \n\n                 National Propane Gas Association \n\n                 Nella Oil \n\n                 NiSource, Inc. \n\n                 Noble Drilling Services, Inc. \n\n                 Offshore Marine Service Association \n\n                 Offshore Operators Committee \n\n                 Petroleum Fuel & Terminal Company \n\n                 Petroleum Marketers Association of America \n\n                 Questar Gas Company \n\n\n              Protective Security Advisor Program Efforts to Build Effective Critical Infrastructure Partnerships:\n                                                Oil and Natural Gas Subsector \n\n\n                                                                                Page 59\n\n\x0cAppendix F\nOil and Natural Gas Sector Coordinating Council Membership\n\n       Rowan Companies, Inc.\n       Sempra Energy\n       Society of Independent Gas Marketers Association\n       Spectra Energy\n       Suncor Energy\n       U.S. Oil & Gas Association\n       Western States Petroleum Association\n       Williams Energy\n\n\n\n\n    Protective Security Advisor Program Efforts to Build Effective Critical Infrastructure Partnerships:\n                                      Oil and Natural Gas Subsector \n\n\n                                                  Page 60\n \n\n\x0cAppendix G\nMajor Contributors to This Report\nAppendix G:        Major Contributors to This Report\n\n\n\n\n                                                       Marcia Moxey Hodges, Chief Inspector, Department of Homeland\n                                                       Security, Office of Inspector General, Office of Inspections\n\n                                                       Katherine Roberts, Team Leader, Department of Homeland\n                                                       Security, Office of Inspector General, Office of Inspections\n\n                                                       Kimberley Lake, Inspector, Department of Homeland Security,\n                                                       Office of Inspector General, Office of Inspections\n\n                                                       Amy Tomlinson, Inspector, Department of Homeland Security,\n                                                       Office of Inspector General, Office of Inspections\n\n\n\n\n              Protective Security Advisor Program Efforts to Build Effective Critical Infrastructure Partnerships: \n\n                                                Oil and Natural Gas Subsector \n\n\n                                                                          Page 61\n \n\n\x0cAppendix H\nReport Distribution\nAppendix H:        Report Distribution\n\n\n\n\n                                         Department of Homeland Security\n\n                                         Secretary\n                                         Deputy Secretary\n                                         Chief of Staff\n                                         Deputy Chief of Staff\n                                         General Counsel\n                                         Executive Secretariat\n                                         Director, GAO/OIG Liaison Office\n                                         Assistant Secretary for Office of Policy\n                                         Assistant Secretary for Office of Public Affairs\n                                         Assistant Secretary for Office of Legislative Affairs\n                                         Under Secretary for National Protection and Programs Directorate\n                                         Assistant Secretary for Infrastructure Protection\n                                         NPPD Audit Liaison\n                                         IP Audit Liaison\n                                         Director of Local Affairs, Office of Intergovernmental Affairs\n\n                                         Office of Management and Budget\n\n                                         Chief, Homeland Security Branch\n                                         DHS OIG Budget Examiner\n\n                                         Congress\n\n                                         Congressional Oversight and Appropriations Committees, as\n                                         appropriate\n\n\n\n\n              Protective Security Advisor Program Efforts to Build Effective Critical Infrastructure Partnerships: \n\n                                                Oil and Natural Gas Subsector \n\n\n                                                            Page 62\n \n\n\x0cADDITIONAL INFORMATION AND COPIES\n\nTo obtain additional copies of this report, please call the Office of Inspector General (OIG) at (202) 254-4100,\nfax your request to (202) 254-4305, or visit the OIG web site at www.dhs.gov/oig.\n\n\nOIG HOTLINE\n\nTo report alleged fraud, waste, abuse or mismanagement, or any other kind of criminal or noncriminal\nmisconduct relative to department programs or operations:\n\n\xe2\x80\xa2 Call our Hotline at 1-800-323-8603;\n\n\xe2\x80\xa2 Fax the complaint directly to us at (202) 254-4292;\n\n\xe2\x80\xa2 Email us at DHSOIGHOTLINE@dhs.gov; or\n\n\xe2\x80\xa2 Write to us at:\n       DHS Office of Inspector General/MAIL STOP 2600,\n       Attention: Office of Investigations - Hotline,\n       245 Murray Drive, SW, Building 410,\n       Washington, DC 20528.\n\n\nThe OIG seeks to protect the identity of each writer and caller.\n\x0c'